CVE-2014-2913: Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary com...

Description

Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments

Metrics

EPSS Probability

15.31%

96.3th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Nagios	Remote Plugin Executor	<= 2.15
Opensuse	Opensuse	11.4
Opensuse	Opensuse	12.3
Opensuse	Opensuse	13.1

References

Timeline

Published: May 7, 2014
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-2913?

Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments

How severe is CVE-2014-2913?

Severity scoring for CVE-2014-2913 is pending analysis. The EPSS model estimates a 15.31% probability of exploitation in the next 30 days.

How do I fix CVE-2014-2913?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.