Critical SQL Injection Flaws Exposed Gentoo Soko to Remote Code Execution
Several SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.
“This SQL injection occurred despite using the Object-Relational Mapping (ORM) library and prepared statements,” SonarSource researcher Thomas Chauchefoin saidadding them could result in RCE on Soko due to “misconfigured database.”
That two problem, found in the Soko search tool, have been tracked collectively as CVE-2023-28424 (CVSS score: 9.1). They were handled within 24 hours of responsible disclosure on March 17, 2023.
Soko is a supporting Go software module package.gentoo.orgoffers users an easy way to browse the various Portage packages available for the Gentoo Linux distribution.
But identified flaws in the service meant that bad actors could have had their way inject custom generated coderesult in the exposure of sensitive information.
“SQL injection is exploitable and has the ability to reveal the PostgreSQL server version and execute arbitrary commands on the system,” said SonarSource.
Its development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open source business suite called Odoo that could be exploited to impersonate a victim on a vulnerable Odoo instance and extract valuable data.
Earlier this year, security flaws were also revealed in open source software such as Pretalx And OpenEMR which can pave the way for a remote attacker to execute arbitrary code.
