cvedb.io
CVE-2023-26033
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2023-02-25T00:15:11.170 · Last modified 2026-06-17T05:42:30.730

Summary

Gentoo soko is the code that powers packages.gentoo.org. Versions prior to 1.0.1 are vulnerable to SQL Injection, leading to a Denial of Service. If the user selects (in user preferences) the "Recently Visited Packages" view for the index page, the value of the `search_history` cookie is used as a base64 encoded comma separated list of atoms. These are string loaded directly into the SQL query with `atom = '%s'` format string. As a result, any user can modify the browser's cookie value and inject most SQL queries. A proof of concept malformed cookie was generated that wiped the database or changed it's content. On the database, only public data is stored, so there is no confidentiality issues to site users. If it is known that the database was modified, a full restoration of data is possib

Affected products

gentoo — soko

Does this affect you?

Add your gear to cvedb and we'll alert you only when gentoo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.