CVE-2024-32487

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-32487
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32487.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-32487
Downstream
Related
Published
2024-04-13T15:15:52.683Z
Modified
2025-11-15T18:58:44.637860Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

References

Affected packages

Git / github.com/gwsw/less

Affected ranges

Type
GIT
Repo
https://github.com/gwsw/less
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
007521ac3c95bc76e3d59c6dbfe75d06c8075c33

Affected versions

Other

v243
v244
v245
v247
v250
v251
v252
v253
v254
v255
v256
v257
v258
v259
v260
v261
v262
v263
v264
v265
v266
v267
v268
v269
v270
v271
v272
v273
v274
v275
v276
v277
v278
v279
v280
v281
v282
v283
v284
v285
v286
v287
v288
v289
v290
v291
v292
v293
v294
v295
v296
v297
v298
v299
v300
v301
v302
v303
v304
v305
v306
v307
v308
v309
v310
v311
v312
v313
v314
v315
v316
v317
v318
v319
v320
v321
v322
v323
v324
v325
v326
v327
v328
v329
v330
v332
v334
v335
v336
v337
v338
v339
v340
v341
v342
v343
v344
v345
v346
v347
v348
v349
v350
v351
v352
v353
v354
v355
v356
v357
v358
v359
v360
v361
v362
v363
v364
v365
v366
v367
v368
v370
v371
v372
v373
v374
v375
v376
v377
v378
v379
v380
v381
v382
v394
v395
v396
v397
v398
v399
v400
v401
v402
v403
v404
v405
v406
v407
v408
v409
v410
v411
v412
v413
v414
v415
v416
v417
v418
v419
v420
v421
v422
v423
v424
v425
v426
v427
v428
v429
v430
v431
v432
v433
v434
v435
v436
v437
v438
v439
v440
v441
v442
v443
v444
v445
v446
v447
v448
v449
v450
v451
v452
v453
v454
v455
v456
v457
v458
v458-rel
v459
v460
v461
v462
v463
v464
v465
v466
v467
v468
v469
v470
v471
v473
v474
v475
v476
v477
v478
v479
v480
v481
v481-rel
v482
v483
v484
v485
v486
v487
v487-rel
v488
v489
v490
v491
v492
v493
v494
v495
v496
v497
v499
v500
v501
v502
v503
v504
v505
v506
v507
v508
v509
v510
v511
v512
v513
v514
v515
v516
v517
v518
v519
v520
v521
v522
v523
v524
v525
v526
v527
v529
v530
v530-rel
v531
v532
v533
v534
v535
v536
v537
v538
v539
v540
v541
v542
v543
v544
v545
v546
v547
v548
v549
v550
v551
v551-rel
v553
v554
v555
v556
v557
v558
v559
v560
v561
v562
v563
v563-rel
v564
v566
v567
v568
v569
v570
v571
v572
v573
v574
v575
v576
v577
v578
v579
v580
v581
v581-rel
v582
v583
v584
v585
v586
v587
v588
v589
v590
v590-rel
v591
v592
v593
v594
v595
v596
v597
v598
v599
v600
v601
v602
v603
v605
v606
v607
v608
v608-rel
v609
v610
v611
v612
v613
v614
v615
v616
v617
v618
v619
v620
v621
v622
v623
v624
v625
v626
v627
v628
v629
v630
v631
v632
v633
v633-rel
v634
v635
v636
v637
v638
v639
v640
v641
v642
v643
v643-rel
v644
v645
v646
v647
v648
v649
v650
v651
v652
v653

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33",
        "signature_type": "Function",
        "target": {
            "function": "shell_quoten",
            "file": "filename.c"
        },
        "id": "CVE-2024-32487-3e056bdc",
        "digest": {
            "length": 846.0,
            "function_hash": "21512441872404318376774822434280745476"
        },
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33",
        "signature_type": "Line",
        "target": {
            "file": "filename.c"
        },
        "id": "CVE-2024-32487-902a445c",
        "digest": {
            "line_hashes": [
                "6392856912888587988469121716084137540",
                "270698381364005912365080033924923909128",
                "318074949332500423466599373294260241169",
                "328415284983022296077022486907155490794",
                "289737217164822785345111873191726688282",
                "189455528938103306586446648766268305176",
                "218584657416246573268543105314978548151",
                "183112455831047898812042513852324344280",
                "189813269534570981535526249696743330997",
                "320490191076196738139528607302830583836",
                "313537205324788312003463297808254168523",
                "71429175339232634504927653181210309974",
                "96387650130909143470870128363097199606",
                "255033481903084783363520326276290220715",
                "151725255370670263930159020310191496177",
                "25140373869608485903155282993232658089",
                "97183714326804796251507833940305662688",
                "149680852007861882086952961165833901061",
                "78485727664940003197033471613650392146",
                "231954030887503870082288013121597790953"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]