CVE-2023-26033

Name of the Vulnerable Software and Affected Versions Gentoo soko versions prior to 1.0.1

Description The issue allows for SQL Injection, leading to a Denial of Service. When the "Recently Visited Packages" view is selected, the search history cookie value is used in SQL queries without proper sanitization, allowing users to inject SQL queries by modifying the cookie value. This can result in database modification or wiping. Since only public data is stored, there are no confidentiality issues for site users. If the database is modified, it can be restored by wiping and updating all components.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 to resolve the issue. As a temporary workaround, consider using a proxy to always drop the search history cookie until upgraded. Alternatively, sanitize the value of the search history cookie after base64 decoding it until a patch can be applied.