N/A

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

N/A

N/A

Aerospike 操作系统命令注入漏洞

Aerospike是美国Aerospike公司的一套NoSQL数据库解决方案。 Aerospike（社区版）4.9.0.5版本中存在安全漏洞。攻击者借助特制的UDF利用该漏洞以当前用户权限在该集群的所有节点上执行任意的操作系统命令。

N/A

N/A