Attackers could leverage a pair of already addressed SQL injection flaws in Gentoo Soko, a Go module deployed on the Gentoo Linux infrastructure, to facilitate remote code execution attacks that could lead to sensitive data exposure, reports The Hacker News. Such vulnerabilities, tracked as CVE-2023-28424, stemmed from a database misconfiguration and was not prevented by an Object-Relational Mapping library and prepared statements, according to SonarSource researcher Thomas Chauchefoin.
Source: SC Magazine