CVE-2014-2913
First published: Wed May 07 2014(Updated: )
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nagios Remote Plugin Executor | <=2.15 | |
| SUSE Linux | =11.4 | |
| SUSE Linux | =12.3 | |
| SUSE Linux | =13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html
- http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html
- http://seclists.org/fulldisclosure/2014/Apr/240
- http://seclists.org/fulldisclosure/2014/Apr/242
- http://seclists.org/oss-sec/2014/q2/154
- http://seclists.org/oss-sec/2014/q2/155
- http://www.securityfocus.com/bid/66969
Frequently Asked Questions
What is the severity of CVE-2014-2913?
CVE-2014-2913 is disputed in terms of its severity, but it allows remote attackers to execute arbitrary commands due to incomplete input validation.
How do I fix CVE-2014-2913?
To fix CVE-2014-2913, upgrade to a version of Nagios Remote Plugin Executor that is later than 2.15, as older versions are vulnerable.
Which versions of software are affected by CVE-2014-2913?
CVE-2014-2913 affects Nagios Remote Plugin Executor versions up to and including 2.15 and specific versions of openSUSE.
Can CVE-2014-2913 lead to command execution?
Yes, CVE-2014-2913 allows remote attackers to execute arbitrary commands by exploiting the newline character in the -a option.
Is CVE-2014-2913 considered a critical vulnerability?
While CVE-2014-2913 poses a significant risk due to potential command execution, its criticality has been disputed by various parties.
- agent/type
- agent/references
- agent/severity
- agent/status
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/nagios
- canonical/nagios remote plugin executor
- version/nagios remote plugin executor/2.15
- vendor/opensuse
- canonical/suse linux
- version/suse linux/11.4
- version/suse linux/12.3
- version/suse linux/13.1
- status/disputed