• CVE-ID CVE-2013-1362
  • CVSS Base Score 7.5
  • Vendor Nagios
  • Affected Products NRPE (Configured with --enable-command-args).
  • Affected Platforms All
  • Affected versions < 2.14
  • Remote Exploitable Yes
  • Local Exploitable No
  • Patch Status Vendor released a patch (See Solution)
  • Description

    nrpe 2.13 has, in src/nrpc.c, line 52:

    #define NASTY_METACHARS "|`&><'\"\\[]{};"

    When NRPE is compiled with --enable-command-args (the default for most Linux distributions), the above code allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios').


    Upgrade to NRPE 2.14 or later, available at

    Back to resources

    Copyright ©2013. All Rights Reserved.