Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution
28-Jun-23
Gentoo Soko has been found to include a number of SQL injection flaws that could allow remote code execution (RCE) on susceptible computers. According to SonarSource researcher Thomas Chauchefoin, these SQL injections occurred despite the usage of an Object-Relational Mapping (ORM) library and prepared statements. He added that they may have caused RCE on Soko due to a “misconfiguration of the database.”
The two problems, which were found using Soko’s search function, have been categorised as CVE-2023-28424 (CVSS rating: 9.1). On March 17, 2023, they were handled 24 hours after being disclosed responsibly. A Go software module called Soko allows users to quickly browse among the various Portage packages that are available for the Gentoo Linux system by using packages.gentoo.org.
