CVE-2023-28424: SQL Injection
First published: Mon Mar 20 2023(Updated: )
Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gentoo soko | <1.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28424?
CVE-2023-28424 is a vulnerability in Soko, the code that powers packages.gentoo.org, where unauthenticated attackers can execute arbitrary SQL queries via the q parameter.
How severe is CVE-2023-28424?
CVE-2023-28424 has a severity score of 9.8, which is considered critical.
What is the affected software for CVE-2023-28424?
The affected software is Gentoo Soko, up to version 1.0.2.
How can unauthenticated attackers exploit CVE-2023-28424?
Unauthenticated attackers can exploit CVE-2023-28424 by using SQL injection techniques through the q parameter.
How can I fix the CVE-2023-28424 vulnerability?
To fix the CVE-2023-28424 vulnerability, it is recommended to update Soko to version 1.0.2 or higher.
- collector/nvd-index
- vendor/gentoo
- canonical/gentoo soko