关键信息 Advisory ID: usd-2020-0002 CVE Number: CVE-2020-6581 Affected Product: Nagios NRPE Affected Version: v3.2.1 Vulnerability Type: Insufficient Filtering of Configuration File Security Risk: Medium Vendor URL: https://www.nagios.org/ Vendor Status: Fixed in v4.0.0 (not verified) Description: Insufficient filtering and incorrect parsing of the configuration file may lead to command injection. Prerequisites: NRPE must be compiled with command line parameter support. The option must be enabled in the NRPE configuration file. Proof of Concept (PoC): If NRPE is compiled with command line parameter support and if the corresponding option is enabled in the configuration file, NRPE allows additional parameters as command line parameters to the configured monitoring scripts. This can lead to command injection. Fix: While parsing the option in the configuration file, special characters should be interpreted correctly. Timeline: 2020-01-06: Vulnerability discovered by Tobias Neitzel. 2020-01-08: Initial contact. 2020-01-15: Nagios NRPE v4.0.0 released. 2020-03-04: Security advisory released. Credits: This vulnerability was discovered by Tobias Neitzel of usd AG.