CVE-2014-2913

Publication date 7 May 2014

Last updated 24 July 2024

** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nagios-nrpe	24.04 LTS noble	Not affected
	23.10 mantic	Ignored end of life, was needed
	23.04 lunar	Ignored end of life, was needed
	22.10 kinetic	Ignored end of life, was needed
	22.04 LTS jammy	Not affected
	21.10 impish	Ignored end of life
	21.04 hirsute	Ignored end of life
	20.10 groovy	Ignored end of life
	20.04 LTS focal	Not affected
	19.10 eoan	Ignored end of life
	19.04 disco	Ignored end of life
	18.10 cosmic	Ignored end of life
	18.04 LTS bionic	Not affected
	17.10 artful	Ignored end of life
	17.04 zesty	Ignored end of life
	16.10 yakkety	Ignored end of life
	16.04 LTS xenial	Not affected
	15.10 wily	Ignored end of life
	15.04 vivid	Ignored end of life
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Not in release
	13.10 saucy	Ignored end of life
	12.10 quantal	Ignored end of life
	12.04 LTS precise	Ignored end of life
	10.04 LTS lucid	Ignored end of life

Notes

seth-arnold

I marked this 'low' because arguments are discouraged for many environments, access to NRPE can be restricted with firewalling or other user access controls, and this might plausibly be a feature.

CVE-2014-2913

Status

Notes

seth-arnold

References

Other references