Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.
“These SQL injections occurred despite the use of an object-relational mapping (ORM) library and prepared statements,” SonarSource researcher Thomas Chauchefoin said, adding that “database misconfigurations” It added that an RCE could occur on Soko.
Two issues found in Soko’s search functionality are tracked together as CVE-2023-28424 (CVSS score: 9.1). These were addressed within 24 hours of our responsible disclosure on March 17, 2023.
Soko is a Go software module that powers packages.gentoo.org, giving users an easy way to search for the various Portage packages available in the Gentoo Linux distribution.
However, the flaws identified in the service meant that a malicious attacker could insert specially crafted code and expose sensitive information.
“The SQL injection could be exploited to expose the PostgreSQL server version and execute arbitrary commands on the system,” SonarSource said.
The development comes months after SonarSource discovered a cross-site scripting (XSS) flaw in an open-source business suite called Odoo. Exploitation of this flaw could lead to exfiltration of valuable data by impersonating a victim on a vulnerable Odoo instance.
Earlier this year, security vulnerabilities were also revealed in open source software such as Pretalx and OpenEMR, potentially opening the way for remote attackers to execute arbitrary code.
