← Volver a CVEs
CVE-2020-13151
CRITICAL9.8
Descripcion
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado8/5/2020
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
aerospike:aerospike_server
Debilidades (CWE)
CWE-78
Referencias
http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html(cve@mitre.org)
https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html(cve@mitre.org)
https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles(cve@mitre.org)
https://www.aerospike.com/download/server/notes.html#5.1.0.3(cve@mitre.org)
http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles(af854a3a-2127-422b-91ae-364da2661108)
https://www.aerospike.com/download/server/notes.html#5.1.0.3(af854a3a-2127-422b-91ae-364da2661108)
https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.