PT-2024-3432 · Less+10 · Less+10
Jakub Wilk
·
Published
2024-04-12
·
Updated
2026-03-29
·
CVE-2024-32487
CVSS v3.1
8.6
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
less versions through 653
Description:
The issue is related to incorrect handling of quotes in the filename.c file, which can allow an attacker to execute arbitrary commands. This typically requires the use of attacker-controlled file names, such as those extracted from an untrusted archive, and the LESSOPEN environment variable, which is set by default in many cases.
Recommendations:
For versions through 653, consider disabling the LESSOPEN environment variable as a temporary workaround until a patch is available. Restrict access to files with potentially malicious names to minimize the risk of exploitation. Avoid using less with untrusted archives or files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Zvirt Node
Less