Published: 09/07/2013 Updated: 30/10/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) prior to 2.14 might allow remote malicious users to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensuse opensuse 12.1
opensuse opensuse 12.2
opensuse opensuse 11.4
nagios remote plug in executor 2.8.1
nagios remote plug in executor 2.8
nagios remote plug in executor 2.5
nagios remote plug in executor 2.4
nagios remote plug in executor 2.0b1
nagios remote plug in executor 1.8
nagios remote plug in executor 2.10
nagios remote plug in executor 2.9
nagios remote plug in executor 2.5.2
nagios remote plug in executor 2.5.1
nagios remote plug in executor 2.0b3
nagios remote plug in executor 2.0b2
nagios remote plug in executor 1.3
nagios remote plug in executor
nagios remote plug in executor 2.8b1
nagios remote plug in executor 2.7.1
nagios remote plug in executor 2.3
nagios remote plug in executor 2.0
nagios remote plug in executor 1.7
nagios remote plug in executor 1.6
nagios remote plug in executor 2.12
nagios remote plug in executor 2.11
nagios remote plug in executor 2.7
nagios remote plug in executor 2.6
nagios remote plug in executor 2.0b5
nagios remote plug in executor 1.9
nagios remote plug in executor 2.0b4
nagios remote plug in executor 1.5
nagios remote plug in executor 1.4

Debian Bug report logs - #701227 nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands Package: nagios-nrpe; Maintainer for nagios-nrpe is Debian Nagios Maintainer Group <pkg-nagios-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date ...

Debian Bug report logs - #745272 nagios-nrpe: CVE-2014-2913: Remote command execution Package: nagios-nrpe-server; Maintainer for nagios-nrpe-server is Debian Nagios Maintainer Group <pkg-nagios-devel@listsaliothdebianorg>; Source for nagios-nrpe-server is src:nagios-nrpe (PTS, buildd, popcon) Reported by: Markus Manzke & ...

Incomplete blacklist vulnerability in nrpcc in Nagios Remote Plug-In Executor (NRPE) before 214 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash ...

Incomplete blacklist vulnerability in nrpcc in Nagios Remote Plug-In Executor (NRPE) might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash ...

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## # require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking i ...

Nagios NRPE versions 213 and below suffer from a remote command execution vulnerability ...

CWE-20 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00006.html https://bugzilla.novell.com/show_bug.cgi?id=807241 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.html http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability http://seclists.org/bugtraq/2013/Feb/119 http://www.exploit-db.com/exploits/24955 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701227 https://www.exploit-db.com/exploits/24955/https://alas.aws.amazon.com/ALAS-2013-203.html

CVE-2013-1362

Vulnerability Summary

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect