{"id":"AZL-39914","summary":"CVE-2024-32487 affecting package less for versions less than 643-2","details":"less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.","modified":"2026-04-01T05:13:54.361389Z","published":"2024-04-13T15:15:52Z","upstream":["CVE-2024-32487"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32487"}],"affected":[{"package":{"name":"less","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/less"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"643-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39914.json"}}],"schema_version":"1.7.5"}