CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
96.3%
DISPUTED Incomplete blacklist vulnerability in nrpe.c in Nagios
Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to
execute arbitrary commands via a newline character in the -a option to
libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It
has been reported that the vendor allows newlines as “expected behavior.”
Also, this issue can only occur when the administrator enables the
“dont_blame_nrpe” option in nrpe.conf despite the “HIGH security risk”
warning within the comments.
Author | Note |
---|---|
seth-arnold | I marked this ‘low’ because arguments are discouraged for many environments, access to NRPE can be restricted with firewalling or other user access controls, and this might plausibly be a feature. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | nagios-nrpe | < any | UNKNOWN |
ubuntu | 20.04 | noarch | nagios-nrpe | < any | UNKNOWN |
ubuntu | 22.04 | noarch | nagios-nrpe | < any | UNKNOWN |
ubuntu | 24.04 | noarch | nagios-nrpe | < any | UNKNOWN |