Veracode Vulnerability DatabaseVERACODE:46625

HistoryApr 26, 2024 - 4:16 a.m.

OS Command Execution

2024-04-2604:16:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

os command execution

less command-line utility

mishandling of quoting

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON

less is vulnerable to OS command execution. The vulnerability is due to mishandling of quoting in the filename.c file within the less command-line utility, allowing attackers to execute arbitrary commands via a newline character in the name of a file.

CPENameOperatorVersion
less:sideq551-2
less:bustereq487-0.1+b1
less:sideq551-2
less:bustereq487-0.1+b1

Name	Operator	Version
less:sid	eq	551-2
less:buster	eq	487-0.1+b1
less:sid	eq	551-2
less:buster	eq	487-0.1+b1

References

www.openwall.com/lists/oss-security/2024/04/15/1

github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33

lists.debian.org/debian-lts-announce/2024/05/msg00018.html

security-tracker.debian.org/tracker/CVE-2024-32487

security.netapp.com/advisory/ntap-20240605-0009/

www.openwall.com/lists/oss-security/2024/04/12/5

www.openwall.com/lists/oss-security/2024/04/13/2