Critical SQL Injection vulnerability the Gentoo Soko package

Gentoo Soko, a software package used in the Gentoo Linux infrastructure, has been found to have two SQL injection vulnerabilities.

CVE-2023-28424, with a CVSS score of 9.1 carry both vulnerabilities. They can be exploited by remote attackers to execute arbitrary code on affected systems.

The vulnerabilities exist in the package search handlers, specifically in the Search and SearchFeed functions implemented in pkg/app/handler/packages/search.go, as well as in the GraphiQL resolver PackageSearch implemented in pkg/api/graphql/resolvers/resolver.go.

The injection occurs through the 'q' parameter in the package search handlers and the 'searchTerm' parameter in the GraphiQL resolver. Exploiting these vulnerabilities allows unauthenticated attackers to execute SQL queries and potentially gain code execution privileges within the PostgreSQL container.

In the context of an Object-Relational Mapping (ORM) framework, the "q" parameter typically refers to a query parameter used for performing searches or filtering operations. When interacting with a database using an ORM, developers can use query parameters to dynamically construct queries and pass values from user input or application logic.

The "q" parameter is often used as a placeholder or identifier to represent the search term or query string. It allows developers to pass user-provided input or specific search criteria to the ORM framework, which then incorporates it into the generated SQL query.

Use of a 'q' parameter is a common source of vulnerabilities with ORMs when the developers don't have good documentation or knowledge of the ORM query builder. In such cases developers are then more likely to craft parts of the query manually and introduce vectors of direct user input, avoidance of input sanitizing and cause SQL injections.

The code was patched in a matter of 1 day after a responsible disclosure was reported, but the updated releases need administrator effort.