CVE-2023-28424

Name of the Vulnerable Software and Affected Versions Soko versions prior to 1.0.2

Description The issue affects the package search handlers, Search and SearchFeed, implemented in pkg/app/handler/packages/search.go, allowing unauthenticated attackers to execute arbitrary SQL queries on https://packages.gentoo.org/ via the q parameter. This can lead to code execution in the context of the PostgreSQL container. The issue was addressed using prepared statements to interpolate user-controlled data in SQL queries.

Recommendations For versions prior to 1.0.2, update to version 1.0.2 or later, which includes the fix for the SQL injection issue by using prepared statements to interpolate user-controlled data in SQL queries. As a temporary workaround, consider restricting access to the Search and SearchFeed handlers until the update can be applied. Avoid using the q parameter in the affected API endpoint until the issue is resolved.