CVE-2024-32487
HIGHDescription
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| greenwoodsoftware | less |
| debian | debian_linux |
| netapp | bootstrap_os |
| netapp | hci_compute_node |
| netapp | hci_storage_nodes |
| netapp | solidfire |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2024-32487? +
How severe is CVE-2024-32487? +
What products are affected by CVE-2024-32487? +
How do I check if I'm vulnerable to CVE-2024-32487? +
Related Vulnerabilities
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers …
Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three …
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances …
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any …
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible …