Arbitrary Command Execution Vulnerability in Nagios Plugins
CVE-2023-37154

Currently unrated

Key Information:

Vendor: Nagios
Vendor: CVE Published:; 9 October 2024

What is CVE-2023-37154?

The vulnerability in Nagios nagios-plugins version 2.4.5 permits arbitrary command execution through the misuse of check_by_ssh functionality. This exploitation involves the ProxyCommand, LocalCommand, and PermitLocalCommand options, allowing malicious users to execute unauthorized commands by leveraging environment variables such as ${IFS}. Although categorized differently in the software revisions, this issue poses a significant risk to unpatched installations, making it essential for users to review their configurations and apply necessary updates.

References

https://github.com/nagios-plugins/nagios-plugins/commit/e...

https://github.com/monitoring-plugins/monitoring-plugins/...

https://joshua.hu/nagios-hacking-cve-2023-37154

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2024
Vulnerability Reserved
Jun 28, 2023