Several SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.
“This SQL injection occurred despite using the Object-Relational Mapping (ORM) library and prepared statements,” SonarSource researcher Thomas Chauchefoin saidadding them could result in RCE on Soko due to “misconfigured database.”
Soko is a supporting Go software module package.gentoo.orgoffers users an easy way to browse the various Portage packages available for the Gentoo Linux distribution.
But identified flaws in the service meant that bad actors could have had their way inject custom generated coderesult in the exposure of sensitive information.
“SQL injection is exploitable and has the ability to reveal the PostgreSQL server version and execute arbitrary commands on the system,” said SonarSource.
Its development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open source business suite called Odoo that could be exploited to impersonate a victim on a vulnerable Odoo instance and extract valuable data.