1
Candidate: CVE-2014-2913
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
5
http://seclists.org/fulldisclosure/2014/Apr/240
6
http://seclists.org/fulldisclosure/2014/Apr/242
8
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios
9
Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to
10
execute arbitrary commands via a newline character in the -a option to
11
libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It
12
has been reported that the vendor allows newlines as "expected behavior."
13
Also, this issue can only occur when the administrator enables the
14
"dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk"
15
warning within the comments.
18
sarnold> I marked this 'low' because arguments are discouraged for many
19
environments, access to NRPE can be restricted with firewalling or
20
other user access controls, and this might plausibly be a feature.
22
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745272
28
upstream_nagios-nrpe: needed
29
lucid_nagios-nrpe: ignored (reached end-of-life)
30
precise_nagios-nrpe: ignored (reached end-of-life)
31
precise/esm_nagios-nrpe: DNE (precise was needed)
32
quantal_nagios-nrpe: ignored (reached end-of-life)
33
saucy_nagios-nrpe: ignored (reached end-of-life)
34
trusty_nagios-nrpe: needed
35
utopic_nagios-nrpe: ignored (reached end-of-life)
36
vivid_nagios-nrpe: ignored (reached end-of-life)
37
vivid/stable-phone-overlay_nagios-nrpe: DNE
38
vivid/ubuntu-core_nagios-nrpe: DNE
39
wily_nagios-nrpe: ignored (reached end-of-life)
40
xenial_nagios-nrpe: needed
41
yakkety_nagios-nrpe: ignored (reached end-of-life)
42
zesty_nagios-nrpe: ignored (reached end-of-life)
43
artful_nagios-nrpe: needed
44
bionic_nagios-nrpe: needed
45
devel_nagios-nrpe: needed