{
  "threat_severity" : "Moderate",
  "public_date" : "2019-08-01T08:00:00Z",
  "bugzilla" : {
    "description" : "Django: SQL injection possibility in key and index lookups for JSONField/HStoreField",
    "id" : "1734417",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1734417"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function." ],
  "statement" : "This issue affects the versions of python-django as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3, as it contains the vulnerable code.\nThis issue affects Red Hat Update Infrastructure for Cloud Providers, but the vulnerable functions in python-django are currently not used in any part of the Product.\nThis issue does not affect Red Hat Satellite as the vulnerable functions in python-django are not used.\nRed Hat OpenStack Platform:\n* This issue affects all versions of python-django shipped with Red Hat Openstack Platform versions 9-15, as it contains the vulnerable code. However, the version of python-django shipped with Red Hat Openstack Platform versions 9 & 10 do not contain the code for JSONFields. \n* Because the flaw's impact is Medium, it will not be fixed in Red Hat Openstack Platform 9 which is retiring on 8/24.",
  "acknowledgement" : "Red Hat would like to thank the Django project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2020-10-28T00:00:00Z",
    "advisory" : "RHSA-2020:4390",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "python-django-0:1.11.27-1.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS",
    "release_date" : "2020-10-28T00:00:00Z",
    "advisory" : "RHSA-2020:4390",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "python-django-0:1.11.27-1.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15.0 (Stein)",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1324",
    "cpe" : "cpe:/a:redhat:openstack:15::el8",
    "package" : "python-django-0:2.1.11-1.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Not affected",
    "package_name" : "calamari-server",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:certifications:1::el7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Out of support scope",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:9"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools",
    "fix_state" : "Will not fix",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack-optools:9"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:rhui:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14234\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14234\nhttps://www.djangoproject.com/weblog/2019/aug/01/security-releases/" ],
  "name" : "CVE-2019-14234",
  "csaw" : false
}