CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
Configurations

Configuration 1 (hide)

cpe:2.3:a:greenwoodsoftware:less:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:hci_storage_nodes:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

History

17 Jun 2025, 20:58

Type Values Removed Values Added
First Time Debian
Greenwoodsoftware
Netapp solidfire
Netapp hci Compute Node
Netapp hci Storage Nodes
Debian debian Linux
Greenwoodsoftware less
Netapp
Netapp bootstrap Os
CPE cpe:2.3:a:netapp:hci_storage_nodes:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:a:greenwoodsoftware:less:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
References () http://www.openwall.com/lists/oss-security/2024/04/15/1 - () http://www.openwall.com/lists/oss-security/2024/04/15/1 - Mailing List
References () https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 - () https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 - Patch
References () https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html - () https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html - Mailing List
References () https://security.netapp.com/advisory/ntap-20240605-0009/ - () https://security.netapp.com/advisory/ntap-20240605-0009/ - Vendor Advisory
References () https://www.openwall.com/lists/oss-security/2024/04/12/5 - () https://www.openwall.com/lists/oss-security/2024/04/12/5 - Mailing List
References () https://www.openwall.com/lists/oss-security/2024/04/13/2 - () https://www.openwall.com/lists/oss-security/2024/04/13/2 - Mailing List, Patch

21 Nov 2024, 09:15

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/04/15/1 - () http://www.openwall.com/lists/oss-security/2024/04/15/1 -
References () https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 - () https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 -
References () https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html - () https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html -
References () https://security.netapp.com/advisory/ntap-20240605-0009/ - () https://security.netapp.com/advisory/ntap-20240605-0009/ -
References () https://www.openwall.com/lists/oss-security/2024/04/12/5 - () https://www.openwall.com/lists/oss-security/2024/04/12/5 -
References () https://www.openwall.com/lists/oss-security/2024/04/13/2 - () https://www.openwall.com/lists/oss-security/2024/04/13/2 -

08 Jul 2024, 14:18

Type Values Removed Values Added
CWE CWE-96
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.6

10 Jun 2024, 18:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html -

10 Jun 2024, 17:16

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240605-0009/ -

01 May 2024, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/04/15/1 -

15 Apr 2024, 13:15

Type Values Removed Values Added
Summary
  • (es) less hasta 653 permite la ejecución de comandos del sistema operativo mediante un carácter de nueva línea en el nombre de un archivo, porque las comillas se manejan mal en filename.c. La explotación normalmente requiere el uso de nombres de archivos controlados por el atacante, como los archivos extraídos de un archivo que no es de confianza. La explotación también requiere la variable de entorno LESSOPEN, pero está configurada de forma predeterminada en muchos casos comunes.

13 Apr 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-13 15:15

Updated : 2025-06-17 20:58


NVD link : CVE-2024-32487

Mitre link : CVE-2024-32487

CVE.ORG link : CVE-2024-32487


JSON object : View

Products Affected

greenwoodsoftware

  • less

netapp

  • bootstrap_os
  • solidfire
  • hci_storage_nodes
  • hci_compute_node

debian

  • debian_linux
CWE
CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')