CVE-2023-26033: 
vulnerability analysis and mitigation

Gentoo soko, the software powering packages.gentoo.org, was found to contain an SQL Injection vulnerability (CVE-2023-26033) in versions prior to 1.0.1. The vulnerability was discovered and disclosed on February 24, 2023, affecting the 'Recently Visited Packages' feature of the website (GitHub Advisory).

The vulnerability stems from improper handling of the 'search_history' cookie value, which is used as a base64-encoded comma-separated list of atoms. These atoms were directly inserted into SQL queries using the 'atom = '%s'' format string, without proper sanitization. The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 9.1 (Critical) according to NVD, while GitHub assessed it with a score of 7.5 (High) (NVD).

The vulnerability could lead to a Denial of Service condition and potential database manipulation. While the database only stores public data, meaning there are no confidentiality issues for site users, attackers could potentially wipe the database or modify its contents. If database modification is detected, a full restoration is possible through a complete database wipe and component update (GitHub Advisory).

The vulnerability was patched in version 1.0.1 with commit ID 5ae9ca83b73. For users unable to upgrade immediately, two workarounds are available: 1) Use a proxy to always drop the 'search_history' cookie, which has minimal impact on user experience, or 2) Implement sanitization of the 'search_history' cookie value after base64 decoding (Gentoo Commit).