CVE-2013-1362 (retired)

Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
Executor (NRPE) before 2.14 might allow remote attackers to execute
arbitrary shell commands via "$()" shell metacharacters, which are
processed by bash.
 jdstrand> This is a problem but requires 'dont_blame_nrpe' to be set in
  /etc/nagios/nrpe.cfg. This is set to '0' in Ubuntu and there are significant
  warnings in /etc/nagios/nrpe.cfg about the security risks of enabling
  external command arguments.
Upstream:released (2.14)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.15-0ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.15-0ubuntu1)
More Information

Updated: 2019-03-26 12:06:50 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)