PT-2023-1363 · Less+8 · Less+8

David Leadbeater

Published

2023-02-07

Updated

2025-03-25

CVE-2022-46663

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Less versions prior to 609

Description The issue is related to incorrect filtering of ANSI escape sequences when processing the -R element. This can be exploited by an attacker to elevate privileges using a specially crafted hyperlink with OSC 8 support. Crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.

Recommendations For versions prior to 609, update to version 609 or later to resolve the issue. As a temporary workaround, consider disabling the use of the -R option until a patch is available. Restrict access to potentially malicious hyperlinks to minimize the risk of exploitation.

Fix

Improper Neutralization

Special Elements Injection

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-707CWE-74CWE-116

Related Identifiers

ALSA-2023:3725

ALT-PU-2023-4395

ALT-PU-2023-4415

AZL-13350

BDU:2023-00696

CVE-2022-46663

OESA-2023-1129

OPENSUSE-SU-2023_0348-1

OPENSUSE-SU-2024:12671-1

RHSA-2023:3725

RHSA-2023_3725

RLSA-2023:3725

ROSA-SA-2023-2238

SUSE-SU-2023:0348-1

SUSE-SU-2023_0348-1

USN-5848-1

Affected Products

Alt Linux

Almalinux

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Less

PT-2023-1363 · Less+8 · Less+8

CVE-2022-46663

Weakness Enumeration

Related Identifiers

Affected Products

References · 44