{"id":"CVE-2024-32487","details":"less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.","modified":"2026-04-16T04:37:57.233019877Z","published":"2024-04-13T15:15:52.683Z","related":["ALSA-2024:3513","ALSA-2024:4256","SUSE-SU-2024:1534-1","SUSE-SU-2024:1550-1","SUSE-SU-2024:1598-1","SUSE-SU-2024:1598-2","SUSE-SU-2024:2060-1","SUSE-SU-2025:20007-1","SUSE-SU-2025:20394-1","openSUSE-SU-2025:14862-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240605-0009/"},{"type":"FIX","url":"https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33"},{"type":"FIX","url":"https://www.openwall.com/lists/oss-security/2024/04/13/2"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/04/15/1"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html"},{"type":"ARTICLE","url":"https://www.openwall.com/lists/oss-security/2024/04/12/5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gwsw/less","events":[{"introduced":"0"},{"last_affected":"ff4c47698016bd11f7e7d4e04461b29042b65275"},{"fixed":"007521ac3c95bc76e3d59c6dbfe75d06c8075c33"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"653"}]}}],"versions":["v243","v244","v245","v247","v250","v251","v252","v253","v254","v255","v256","v257","v258","v259","v260","v261","v262","v263","v264","v265","v266","v267","v268","v269","v270","v271","v272","v273","v274","v275","v276","v277","v278","v279","v280","v281","v282","v283","v284","v285","v286","v287","v288","v289","v290","v291","v292","v293","v294","v295","v296","v297","v298","v299","v300","v301","v302","v303","v304","v305","v306","v307","v308","v309","v310","v311","v312","v313","v314","v315","v316","v317","v318","v319","v320","v321","v322","v323","v324","v325","v326","v327","v328","v329","v330","v332","v334","v335","v336","v337","v338","v339","v340","v341","v342","v343","v344","v345","v346","v347","v348","v349","v350","v351","v352","v353","v354","v355","v356","v357","v358","v359","v360","v361","v362","v363","v364","v365","v366","v367","v368","v370","v371","v372","v373","v374","v375","v376","v377","v378","v379","v380","v381","v382","v394","v395","v396","v397","v398","v399","v400","v401","v402","v403","v404","v405","v406","v407","v408","v409","v410","v411","v412","v413","v414","v415","v416","v417","v418","v419","v420","v421","v422","v423","v424","v425","v426","v427","v428","v429","v430","v431","v432","v433","v434","v435","v436","v437","v438","v439","v440","v441","v442","v443","v444","v445","v446","v447","v448","v449","v450","v451","v452","v453","v454","v455","v456","v457","v458","v458-rel","v459","v460","v461","v462","v463","v464","v465","v466","v467","v468","v469","v470","v471","v473","v474","v475","v476","v477","v478","v479","v480","v481","v481-rel","v482","v483","v484","v485","v486","v487","v487-rel","v488","v489","v490","v491","v492","v493","v494","v495","v496","v497","v499","v500","v501","v502","v503","v504","v505","v506","v507","v508","v509","v510","v511","v512","v513","v514","v515","v516","v517","v518","v519","v520","v521","v522","v523","v524","v525","v526","v527","v529","v530","v530-rel","v531","v532","v533","v534","v535","v536","v537","v538","v539","v540","v541","v542","v543","v544","v545","v546","v547","v548","v549","v550","v551","v551-rel","v553","v554","v555","v556","v557","v558","v559","v560","v561","v562","v563","v563-rel","v564","v566","v567","v568","v569","v570","v571","v572","v573","v574","v575","v576","v577","v578","v579","v580","v581","v581-rel","v582","v583","v584","v585","v586","v590","v590-rel","v591","v592","v594","v595","v596","v597","v598","v600","v601","v602","v603","v605","v607","v608","v608-rel","v616","v617","v618","v619","v620","v621","v623","v624","v625","v626","v627","v628","v629","v630","v631","v632","v633","v633-rel","v634","v635","v636","v639","v640","v641","v642","v643","v643-rel","v644","v646","v647","v648","v649","v650","v651","v653"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures_modified":"2026-04-12T09:49:34Z","vanir_signatures":[{"target":{"function":"shell_quoten","file":"filename.c"},"signature_version":"v1","source":"https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33","id":"CVE-2024-32487-3e056bdc","signature_type":"Function","digest":{"function_hash":"21512441872404318376774822434280745476","length":846},"deprecated":false},{"target":{"file":"filename.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["6392856912888587988469121716084137540","270698381364005912365080033924923909128","318074949332500423466599373294260241169","328415284983022296077022486907155490794","289737217164822785345111873191726688282","189455528938103306586446648766268305176","218584657416246573268543105314978548151","183112455831047898812042513852324344280","189813269534570981535526249696743330997","320490191076196738139528607302830583836","313537205324788312003463297808254168523","71429175339232634504927653181210309974","96387650130909143470870128363097199606","255033481903084783363520326276290220715","151725255370670263930159020310191496177","25140373869608485903155282993232658089","97183714326804796251507833940305662688","149680852007861882086952961165833901061","78485727664940003197033471613650392146","231954030887503870082288013121597790953"]},"id":"CVE-2024-32487-902a445c","signature_type":"Line","source":"https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}