Home / Threat Intelligence bulletins / Critical SQL injection vulnerabilities in Gentoo Soko: potential for RCE and sensitive data exposure

Target Industry

Indiscriminate, opportunistic targeting.


Gentoo Soko has disclosed multiple high-severity SQL injection vulnerabilities, collectively tracked as CVE-2023-28424 (CVSS score: 9.1), that could potentially result in remote code execution (RCE) on affected systems. Discovered within the search feature of Soko, these vulnerabilities were promptly addressed within 24 hours of responsible disclosure on 17th March 2023.


If successfully exploited, the SQL injection vulnerabilities of CVE-2023-28424 could enable a remote unauthenticated attacker to execute arbitrary code on the vulnerable systems via specially crafted queries.

Vulnerability Detection

To detect if your systems are impacted by the vulnerabilities, it is crucial to review your systems’ logs and traffic for any suspicious activity that may indicate SQL injection attempts. Specifically, look for unusual or unexpected SQL queries within the application logs of Gentoo Soko.

Affected Products

Soko, a Go software module, powers packages[.]gentoo[.]org and offers users the ability to search different Portage packages available for the Gentoo Linux distribution. Furthermore, a successful attack could potentially interfere with the platform’s services or impact the reliability of the Portage packages on offer for Gentoo Linux.

This vulnerability is present in Soko versions prior to 1.0.2

Containment, Mitigations & Remediations

It is strongly recommended that any versions of Soko are updated to the latest patched version.

Threat Landscape

As the backbone of packages[.]gentoo[.]org, Gentoo Soko holds a pivotal role in the Gentoo Linux Distribution Eco System. This prominence, coupled with the potential for RCE and sensitive data exposure, makes it a tempting target for threat actors. Cybercriminals typically calculate their attack strategy based on potential reward and the likelihood of success, and given Soko’s widespread usage and the critical nature of the vulnerabilities, it presents an attractive attack surface. Moreover, the fact that Soko’s vulnerabilities could be exploited despite the user of advanced security measures like Object-Relational Mapping (ORM) and prepared statements underscores the sophistication of potential threats. As long as open-source software such as Soko remains integral to business and developer operations, threat actors will persist in their attempts to exploit such vulnerabilities, aiming to extract sensitive information or disrupt essential services.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


TA0002 – Execution

Further Information

CVE Details


HackerNews article


An Intelligence Terminology Yardstick to showing the likelihood of events