CVE-2014-2913

Published: 07 May 2014

** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.

Priority

Low

Status

Package Release Status
nagios-nrpe
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.15-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)

Notes

AuthorNote
seth-arnold
I marked this 'low' because arguments are discouraged for many
environments, access to NRPE can be restricted with firewalling or
other user access controls, and this might plausibly be a feature.

References

Bugs