CVE-2020-13151 – Aerospike Database 5.1.0.3 - OS Command Execution

https://notcve.org/view.php?id=CVE-2020-13151

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service. Aerospike Community Edition versión 4.9.0.5, permite el envío y la ejecución no autenticada de funciones definidas por el usuario (UDF), escritas en Lua, como parte de una consulta de base de datos. Intenta restringir la ejecución del código al deshabilitar las llamadas a la función os.execute(), pero esto es insuficiente. • https://www.exploit-db.com/exploits/49067 https://github.com/b4ny4n/CVE-2020-13151 http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles https://www.aerospike.com&# • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •