CVE-2024-32487
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
| Software | From | Fixed in |
|---|---|---|
| greenwoodsoftware / less | - | 653.x |
| debian / debian_linux | 10.0 | 10.0.x |
- http://www.openwall.com/lists/oss-security/2024/04/15/1
- https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
- https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
- https://security.netapp.com/advisory/ntap-20240605-0009/
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/13/2
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime