CVE-2024-32487
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/04/2024
Last modified:
17/06/2025
Description
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:greenwoodsoftware:less:*:*:*:*:*:*:*:* | 653 (including) | |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:hci_storage_nodes:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/04/15/1
- https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
- https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
- https://security.netapp.com/advisory/ntap-20240605-0009/
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/13/2
- http://www.openwall.com/lists/oss-security/2024/04/15/1
- https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
- https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
- https://security.netapp.com/advisory/ntap-20240605-0009/
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/13/2