image credit: Adobe Stock

Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

June 28, 2023

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.

“These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements,” SonarSource researcher Thomas Chauchefoin said, adding they could result in RCE on Soko because of a “misconfiguration of the database.”

The two issues, which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023.

Read More on The Hacker News