Less utility OS command exec via newline injection
CVE-2024-32487 Published on April 13, 2024
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
Vulnerability Analysis
CVE-2024-32487 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Static Code Injection Vulnerability?
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
CVE-2024-32487 has been classified to as a Static Code Injection vulnerability or weakness.
Products Associated with CVE-2024-32487
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-32487 are published in these products:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.