CVE-2014-2913 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2014-2913 Interim 1 16 2022-12-03T02:27:37Z current 2021-05-30T13:20:25Z 2022-12-03T02:27:37Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2014-2913 ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html E-Mail link for SUSE-SU-2014:0682-1 https://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html E-Mail link for openSUSE-SU-2014:0594-1 https://lists.opensuse.org/opensuse-updates/2014-05/msg00014.html E-Mail link for openSUSE-SU-2014:0603-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP1-TERADATA SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP3 openSUSE Tumbleweed monitoring-plugins-nrpe-4.0.3-3.5 nagios-nrpe-2.12-24.4.10.1 nagios-nrpe-doc-2.12-24.4.10.1 nagios-plugins-nrpe-2.12-24.4.10.1 nrpe-4.0.3-3.5 nrpe-doc-4.0.3-3.5 nagios-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA nagios-nrpe-doc-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA nagios-plugins-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA nagios-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3 nagios-nrpe-doc-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3 nagios-plugins-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3 nagios-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA nagios-nrpe-doc-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA nagios-plugins-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA nagios-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 nagios-nrpe-doc-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 nagios-plugins-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server 11 SP4 nagios-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 nagios-nrpe-doc-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 nagios-plugins-nrpe-2.12-24.4.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP3 monitoring-plugins-nrpe-4.0.3-3.5 as a component of openSUSE Tumbleweed nrpe-4.0.3-3.5 as a component of openSUSE Tumbleweed nrpe-doc-4.0.3-3.5 as a component of openSUSE Tumbleweed ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. CVE-2014-2913 SUSE Linux Enterprise Server 11 SP1-TERADATA:nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:nagios-nrpe-doc-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:nagios-plugins-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3:nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3:nagios-nrpe-doc-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3:nagios-plugins-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:nagios-nrpe-doc-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:nagios-plugins-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP4:nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP4:nagios-nrpe-doc-2.12-24.4.10.1 SUSE Linux Enterprise Server 11 SP4:nagios-plugins-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:nagios-nrpe-2.12-24.4.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:nagios-nrpe-doc-2.12-24.4.10.1 SUSE Linux Enterprise Server for SAP Applications 11 SP3:nagios-plugins-nrpe-2.12-24.4.10.1 openSUSE Tumbleweed:monitoring-plugins-nrpe-4.0.3-3.5 openSUSE Tumbleweed:nrpe-4.0.3-3.5 openSUSE Tumbleweed:nrpe-doc-4.0.3-3.5 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P