Django Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2019-14234

An issue was discovered in Django 1.11.x before 1.11.23 2.1.x before 2.1.11 and 2.2.x before 2.2.4. Due to an error in shallow key transformation key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection. This could for example be exploited via crafted use of quotOR 11quot in a key or index name to return all records using a suitably crafted dictionary with dictionary expansion as the kwargs passed to the QuerySet.filter() function.