Vulnerability Details : CVE-2020-13151
Public exploit exists!
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.
Exploit prediction scoring system (EPSS) score for CVE-2020-13151
85.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-13151
-
Aerospike Database UDF Lua Code Execution
Disclosure Date: 2020-07-31First seen: 2020-12-10exploit/linux/misc/aerospike_database_udf_cmd_execAerospike Database versions before 5.1.0.3 permitted user-defined functions (UDF) to call the `os.execute` Lua function. This module creates a UDF utilising this function to execute arbitrary operating system commands with the privileges
CVSS scores for CVE-2020-13151
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-13151
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13151
-
https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-roles
Configuring Access ControlExploit;Vendor Advisory
-
https://www.aerospike.com/download/server/notes.html#5.1.0.3
Aerospike Server CE Release Note | Download | AerospikeRelease Notes;Vendor Advisory
-
http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.html
Aerospike Database UDF Lua Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.html
CVE-2020-13151 POC: Aerospike Server Host Command Execution | -pentest notes-Exploit;Third Party Advisory
-
https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3
Aerospike Server EE Release Note | Enterprise Download | AerospikeRelease Notes;Vendor Advisory
-
http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.html
Aerospike Database 5.1.0.3 Remote Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2020-13151
- Aerospike » Aerospike Server » Community EditionVersions from including (>=) 4.6.0.1 and before (<) 4.6.0.19cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*
- Aerospike » Aerospike Server » Community EditionVersions from including (>=) 4.8.0.1 and before (<) 4.8.0.13cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*
- Aerospike » Aerospike Server » Community EditionVersions from including (>=) 4.7.0.1 and before (<) 4.7.0.17cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*
- Aerospike » Aerospike Server » Community EditionVersions from including (>=) 4.9.0.1 and before (<) 4.9.0.10cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*
- Aerospike » Aerospike Server » Community EditionVersions from including (>=) 5.0.0.1 and before (<) 5.0.0.7cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*
- cpe:2.3:a:aerospike:aerospike_server:*:*:*:*:community:*:*:*