CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

Published: Apr 13, 2024
Updated: Apr 14, 2024
CVE: CVE-2024-32487
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
greenwoodsoftware / less	-	653.x
debian / debian_linux	10.0	10.0.x

http://www.openwall.com/lists/oss-security/2024/04/15/1
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
https://security.netapp.com/advisory/ntap-20240605-0009/
https://www.openwall.com/lists/oss-security/2024/04/12/5
https://www.openwall.com/lists/oss-security/2024/04/13/2

Vulnerability Database

290,206

CVE-2024-32487