Published: 07/05/2014 Updated: 11/04/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and previous versions allows remote malicious users to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments

Vulnerable Product	Search on Vulmon	Subscribe to Product
opensuse opensuse 12.3
opensuse opensuse 11.4
nagios remote plugin executor
opensuse opensuse 13.1

Debian Bug report logs - #745272 nagios-nrpe: CVE-2014-2913: Remote command execution Package: nagios-nrpe-server; Maintainer for nagios-nrpe-server is Debian Nagios Maintainer Group <pkg-nagios-devel@listsaliothdebianorg>; Source for nagios-nrpe-server is src:nagios-nrpe (PTS, buildd, popcon) Reported by: Markus Manzke & ...

** DISPUTED ** Incomplete blacklist vulnerability in nrpec in Nagios Remote Plugin Executor (NRPE) 215 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe NOTE: this issue is disputed by multiple parties It has been reported that the vendor allows newlines as "expecte ...

Incomplete blacklist vulnerability in nrpec in Nagios Remote Plugin Executor (NRPE) 215 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe ...

NRPE version 215 remote command execution exploit written in Python ...

============================================= - Release date: 17042014 - Discovered by: Dawid Golunski - Severity: High ============================================= I VULNERABILITY ------------------------- NRPE - Nagios Remote Plugin Executor <= 215 Remote Command Execution II BACKGROUND ------------------------- Nagios is an ope ...

#!/usr/bin/python # # # Exploit Title : NRPE <= 215 Remote Code Execution Vulnerability # # Discovered by : Dawid Golunski # dawid (at) legalhackers (dot) com # legalhackerscom # # Exploit Author : Claudio Viviani # wwwhomelabit # # info@homelabit # ...

NVD-CWE-Other http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html http://seclists.org/fulldisclosure/2014/Apr/240 http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html http://seclists.org/oss-sec/2014/q2/154 http://seclists.org/oss-sec/2014/q2/155 http://seclists.org/fulldisclosure/2014/Apr/242 http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html http://www.securityfocus.com/bid/66969 http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272 https://nvd.nist.gov https://www.exploit-db.com/exploits/32925/https://access.redhat.com/security/cve/cve-2014-2913 https://alas.aws.amazon.com/ALAS-2014-364.html

CVE-2014-2913

Vulnerability Summary

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect