7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.938 High
EPSS
Percentile
99.1%
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In
Executor (NRPE) before 2.14 might allow remote attackers to execute
arbitrary shell commands via “$()” shell metacharacters, which are
processed by bash.
Author | Note |
---|---|
jdstrand | This is a problem but requires ‘dont_blame_nrpe’ to be set in /etc/nagios/nrpe.cfg. This is set to ‘0’ in Ubuntu and there are significant warnings in /etc/nagios/nrpe.cfg about the security risks of enabling external command arguments. |