AZL-39914

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39914.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-39914

Upstream

CVE-2024-32487

Published

2024-04-13T15:15:52Z

Modified

2026-04-01T05:13:54.361389Z

Summary

CVE-2024-32487 affecting package less for versions less than 643-2

Details

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-32487

Affected packages

Azure Linux:3 / less

Package

Name: less
Purl: pkg:rpm/azure-linux/less

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

643-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39914.json"