CVE-2014-2913

Name
CVE-2014-2913
Description
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
SUSE http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
Exploit http://seclists.org/fulldisclosure/2014/Apr/240
SUSE http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
MLIST http://seclists.org/oss-sec/2014/q2/154
MLIST http://seclists.org/oss-sec/2014/q2/155
Exploit http://seclists.org/fulldisclosure/2014/Apr/242
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
BID http://www.securityfocus.com/bid/66969
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nagios:remote_plugin_executor:*:*:*:*:*:*:*:* remote_plugin_executor >= None <= 2.15
cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:* opensuse == None == 11.4
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* opensuse == None == 12.3
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:* opensuse == None == 13.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status