CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
96.3%
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as “expected behavior.” Also, this issue can only occur when the administrator enables the “dont_blame_nrpe” option in nrpe.conf despite the “HIGH security risk” warning within the comments
Vendor | Product | Version | CPE |
---|---|---|---|
nagios | remote_plugin_executor | * | cpe:2.3:a:nagios:remote_plugin_executor:*:*:*:*:*:*:*:* |
opensuse | opensuse | 11.4 | cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:* |
opensuse | opensuse | 12.3 | cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* |
opensuse | opensuse | 13.1 | cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:* |
lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html
lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
seclists.org/fulldisclosure/2014/Apr/240
seclists.org/fulldisclosure/2014/Apr/242
seclists.org/oss-sec/2014/q2/154
seclists.org/oss-sec/2014/q2/155
www.securityfocus.com/bid/66969