CVE-2013-1362
Published: 9 July 2013
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Notes
Author | Note |
---|---|
jdstrand | This is a problem but requires 'dont_blame_nrpe' to be set in /etc/nagios/nrpe.cfg. This is set to '0' in Ubuntu and there are significant warnings in /etc/nagios/nrpe.cfg about the security risks of enabling external command arguments. |
Priority
Status
Package | Release | Status |
---|---|---|
nagios-nrpe Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
upstream |
Released
(2.14)
|
|
trusty |
Does not exist
(trusty was not-affected [2.15-0ubuntu1])
|
|
utopic |
Not vulnerable
(2.15-0ubuntu1)
|
|
vivid |
Not vulnerable
(2.15-0ubuntu1)
|
|
wily |
Not vulnerable
(2.15-0ubuntu1)
|
|
xenial |
Not vulnerable
(2.15-0ubuntu1)
|
|
yakkety |
Not vulnerable
(2.15-0ubuntu1)
|
|
zesty |
Not vulnerable
(2.15-0ubuntu1)
|