Several SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on susceptible units.
“These SQL injections occurred inspite of the use of an Object-Relational Mapping (ORM) library and prepared statements,” SonarSource researcher Thomas Chauchefoin explained, introducing they could final result in RCE on Soko mainly because of a “misconfiguration of the databases.”
The two issues, which have been learned in the lookup feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were tackled within 24 hrs of liable disclosure on March 17, 2023.
Soko is a Go software module that powers offers.gentoo.org, featuring customers an uncomplicated way to search by means of unique Portage packages that are readily available for Gentoo Linux distribution.
But the shortcomings determined in the provider intended that it could have been achievable for a destructive actor to inject specially crafted code, ensuing in the publicity of delicate details.
“The SQL injections were being exploitable and had the potential to disclose the PostgreSQL server’s variation and execute arbitrary instructions on the system,” SonarSource reported.
The advancement comes months right after SonarSource uncovered a cross-site scripting (XSS) flaw in an open up-resource enterprise suite termed Odoo that could be exploited to impersonate any sufferer on a vulnerable Odoo occasion as properly as exfiltrate precious knowledge.
Previously this year, security weaknesses were also disclosed in open-supply software package these types of as Pretalx and OpenEMR that could pave the way for distant attackers to execute arbitrary code.
Found this article interesting? Abide by us on Twitter ๏ and LinkedIn to go through much more exclusive content we put up.
Some parts of this article are sourced from:
thehackernews.com
New Mockingjay Process Injection Technique Could Let Malware Evade Detection