CVE-2024-32487
CVE-2024-32487
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Produtos afetados
n/a · n/aQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33https://lists.debian.org/debian-lts-announce/2024/05/msg00018.htmlhttps://security.netapp.com/advisory/ntap-20240605-0009/https://www.openwall.com/lists/oss-security/2024/04/12/5https://www.openwall.com/lists/oss-security/2024/04/13/2http://www.openwall.com/lists/oss-security/2024/04/15/1