{"id":"AZL-39933","summary":"CVE-2024-32487 affecting package less for versions less than 590-4","details":"less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.","modified":"2026-04-01T05:13:30.397376Z","published":"2024-04-13T15:15:52Z","upstream":["CVE-2024-32487"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32487"}],"affected":[{"package":{"name":"less","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/less"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"590-4"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39933.json"}}],"schema_version":"1.7.5"}