CVE-2020-13151

Name: CVE-2020-13151
Creator: NVD / NIST
Published: 2020-08-05T13:15:10.603+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 86.75%

Last modified Jun 17, 2026

CVE-2020-13151 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. EPSS estimates a 86.75% chance of exploitation in the next 30 days.

Description

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

86.75%

99.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Aerospike	Aerospike Server	< 4.5.3.21
Aerospike	Aerospike Server	>= 4.6.0.1, < 4.6.0.19
Aerospike	Aerospike Server	>= 4.7.0.1, < 4.7.0.17
Aerospike	Aerospike Server	>= 4.8.0.1, < 4.8.0.13
Aerospike	Aerospike Server	>= 4.9.0.1, < 4.9.0.10
Aerospike	Aerospike Server	>= 5.0.0.1, < 5.0.0.7

References

http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.htmlExploit, Third Party Advisory
https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-rolesExploit, Vendor Advisory
https://www.aerospike.com/download/server/notes.html#5.1.0.3Release Notes, Vendor Advisory
https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3Release Notes, Vendor Advisory
http://packetstormsecurity.com/files/160106/Aerospike-Database-5.1.0.3-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/160451/Aerospike-Database-UDF-Lua-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://b4ny4n.github.io/network-pentest/2020/08/01/cve-2020-13151-poc-aerospike.htmlExploit, Third Party Advisory
https://www.aerospike.com/docs/operations/configure/security/access-control/index.html#create-users-and-assign-rolesExploit, Vendor Advisory
https://www.aerospike.com/download/server/notes.html#5.1.0.3Release Notes, Vendor Advisory
https://www.aerospike.com/enterprise/download/server/notes.html#5.1.0.3Release Notes, Vendor Advisory

Timeline

Published: Aug 5, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-13151?

How severe is CVE-2020-13151?

CVE-2020-13151 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 86.75% probability of exploitation in the next 30 days.

How do I fix CVE-2020-13151?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-13151?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST