A number of SQL injection vulnerabilities have been disclosed in Gentoo Soko that would result in distant code execution (RCE) on weak methods.
“These SQL injections occurred regardless of the usage of an Object-Relational Mapping (ORM) library and ready statements,” SonarSource researcher Thomas Chauchefoin stated, including they might end in RCE on Soko due to a “misconfiguration of the database.”
The two points, which have been found within the search characteristic of Soko, have been collectively tracked as CVE-2023-28424 (CVSS rating: 9.1). They have been addressed inside 24 hours of accountable disclosure on March 17, 2023.
Soko is a Go software program module that powers packages.gentoo.org, providing customers a straightforward strategy to search via completely different Portage packages which can be accessible for Gentoo Linux distribution.
However the shortcomings recognized within the service meant that it may have been attainable for a malicious actor to inject specifically crafted code, ensuing within the publicity of delicate data.
“The SQL injections have been exploitable and had the power to reveal the PostgreSQL server’s model and execute arbitrary instructions on the system,” SonarSource stated.
The event comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open-source enterprise suite known as Odoo that could possibly be exploited to impersonate any sufferer on a weak Odoo occasion in addition to exfiltrate helpful information.
Earlier this yr, safety weaknesses have been additionally disclosed in open-source software program resembling Pretalx and OpenEMR that would pave the way in which for distant attackers to execute arbitrary code.