8.6
CVE-2024-32487
- EPSS 0.26%
- Veröffentlicht 13.04.2024 15:15:52
- Zuletzt bearbeitet 17.06.2025 20:58:12
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Greenwoodsoftware ≫ Less Version <= 653
Debian ≫ Debian Linux Version10.0
Netapp ≫ Bootstrap Os Version-
Netapp ≫ Hci Storage Nodes Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.497 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.6 | 1.8 | 6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.