CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-6582
https://notcve.org/view.php?id=CVE-2020-6582
Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call. Nagios NRPE versión 3.2.1, presenta un desbordamiento de búfer en la región heap de la memoria, como es demostrado por la interpretación de un número negativo pequeño como un número positivo grande durante una llamada bzero. • https://herolab.usd.de/security-advisories https://herolab.usd.de/security-advisories/usd-2020-0001 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DNGKXVDB43E3KQRA6W5QZT3Z46XZLQM • CWE-681: Incorrect Conversion between Numeric Types CWE-787: Out-of-bounds Write •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-6581
https://notcve.org/view.php?id=CVE-2020-6581
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection. Nagios NRPE versión 3.2.1, presenta un filtrado insuficiente porque, por ejemplo, la función nasty_metachars interpreta \n como el carácter \ y el carácter n (no como la secuencia newline \n). Esto puede causar una inyección de comandos. • https://herolab.usd.de/security-advisories https://herolab.usd.de/security-advisories/usd-2020-0002 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DNGKXVDB43E3KQRA6W5QZT3Z46XZLQM •
CVSS: 7.5EPSS: 93%CPEs: 32EXPL: 2CVE-2013-1362 – Nagios Remote Plugin Executor - Arbitrary Command Execution
https://notcve.org/view.php?id=CVE-2013-1362
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. Vulenrabilidad de lista negra incompleta en nrpc.c en Nagios Remote Plug-In Executor (NRPE) anteriroes a v2.14 podría permitir a atacantes remotos ejecutar comandos del sistema a través de los metacaracteres "$()" , que son procesados por bash. The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands. • https://www.exploit-db.com/exploits/24955 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00006.html http://seclists.org/bugtraq/2013/Feb/119 http://www.exploit-db.com/exploits/24955 http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability https://bugzilla.novell.com/show_bug.cgi?id=807241 • CWE-20: Improper Input Validation •