What is CVE-2023-28424?

CVE-2023-28424 is a vulnerability in Soko, the code that powers packages.gentoo.org, where unauthenticated attackers can execute arbitrary SQL queries via the q parameter.

How severe is CVE-2023-28424?

CVE-2023-28424 has a severity score of 9.8, which is considered critical.

What is the affected software for CVE-2023-28424?

The affected software is Gentoo Soko, up to version 1.0.2.

How can unauthenticated attackers exploit CVE-2023-28424?

Unauthenticated attackers can exploit CVE-2023-28424 by using SQL injection techniques through the q parameter.

How can I fix the CVE-2023-28424 vulnerability?

To fix the CVE-2023-28424 vulnerability, it is recommended to update Soko to version 1.0.2 or higher.

Vulnerability/
CVE-2023-28424

critical

9.8

CWE

20/3/2023

12/12/2024

CVE-2023-28424: Soko SQL Injection vulnerability

First published: Mon Mar 20 2023(Updated: )

Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Gentoo soko	<1.0.2

Remedy

https://gitweb.gentoo.org/sites/soko.git/commit/?id=4fa6e4b619c0362728955b6ec56eab0e0cbf1e23

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-28424?
CVE-2023-28424 is a vulnerability in Soko, the code that powers packages.gentoo.org, where unauthenticated attackers can execute arbitrary SQL queries via the q parameter.
How severe is CVE-2023-28424?
CVE-2023-28424 has a severity score of 9.8, which is considered critical.
What is the affected software for CVE-2023-28424?
The affected software is Gentoo Soko, up to version 1.0.2.
How can unauthenticated attackers exploit CVE-2023-28424?
Unauthenticated attackers can exploit CVE-2023-28424 by using SQL injection techniques through the q parameter.
How can I fix the CVE-2023-28424 vulnerability?
To fix the CVE-2023-28424 vulnerability, it is recommended to update Soko to version 1.0.2 or higher.

collector/nvd-index
agent/type
agent/softwarecombine
agent/remedy
agent/title
agent/weakness
agent/severity
agent/author
agent/description
agent/first-publish-date
agent/event
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
vendor/gentoo
canonical/gentoo soko

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.