CVE-2020-13151

Name of the Vulnerable Software and Affected Versions Aerospike Community Edition version 4.9.0.5

Description The issue allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. Although it attempts to restrict code execution by disabling os.execute() calls, this restriction is insufficient. As a result, anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

Recommendations For Aerospike Community Edition version 4.9.0.5, consider disabling the execution of user-defined functions (UDFs) until a patch is available to prevent the execution of arbitrary OS commands. Restrict access to the database query functionality to minimize the risk of exploitation. Avoid using crafted UDFs in the affected database query endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.