CVE-2020-13151

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-13151
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13151.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-13151
Published
2020-08-05T13:15:10Z
Modified
2024-05-30T02:18:51.697869Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

References

Affected packages

Git / github.com/aerospike/aerospike-server

Affected ranges

Type
GIT
Repo
https://github.com/aerospike/aerospike-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

4.*

4.0.0.1
4.1.0.1
4.2.0.2
4.3.0.2
4.3.1.3
4.3.1.4
4.4.0.4
4.5.0.1
4.5.1.5
4.5.2.1
4.5.3.10
4.5.3.11
4.5.3.12
4.5.3.13
4.5.3.14
4.5.3.15
4.5.3.16
4.5.3.17
4.5.3.18
4.5.3.19
4.5.3.2
4.5.3.3
4.5.3.4
4.5.3.5
4.5.3.6
4.5.3.7
4.5.3.8