CVE-2024-32487 — Static Code Injection in Less

CWE-96 — Static Code Injection CWE-78 — OS Command Injection7 documents7 sources

Severity

8.6HIGHNVD

EPSS

0.3%

top 44.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Less Debian Less Greenwoodsoftware Less +7 more

Timeline

PublishedApr 13

Latest updateApr 29

Description

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages9 packages

▶debiandebian/less< less 590-2.1~deb12u2 (bookworm)

▶Debiangnu/less< 551-2+deb11u2+3

▶NVDgreenwoodsoftware/less653

▶msrcmsrc/azl3_less_643-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_less_590-4_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f53j-pgm5-c4r3: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename↗2024-04-13

▶

OSV

CVE-2024-32487: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename↗2024-04-13

▶

📋Vendor Advisories

Ubuntu

less vulnerability↗2024-04-29

▶

Red Hat

less: OS command injection↗2024-04-13

▶

Microsoft

less through 653 allows OS command execution via a newline character in the name of a file because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled fil↗2024-04-09

▶

Debian

CVE-2024-32487: less - less through 653 allows OS command execution via a newline character in the name...↗2024

▶