CVE-2022-46663 - OpenCVE

In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Gnu	Less
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
less-0:590-2.el9_2	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:3725	2023-06-21T00:00:00Z

References

Link	Providers
http://www.greenwoodsoftware.com/less/news.609.html
http://www.openwall.com/lists/oss-security/2023/02/07/7
https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LR7AUWB34JD4PCW3HHASBEDGGHFWPAQP/
https://nvd.nist.gov/vuln/detail/CVE-2022-46663
https://security.gentoo.org/glsa/202310-11
https://www.cve.org/CVERecord?id=CVE-2022-46663
https://www.openwall.com/lists/oss-security/2023/02/07/7

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-07T00:00:00

Updated: 2024-08-03T14:39:38.500Z

Reserved: 2022-12-06T00:00:00

Link: CVE-2022-46663

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-07T21:15:09.247

Modified: 2023-11-07T03:55:43.727

Link: CVE-2022-46663

Redhat

Severity : Moderate

Publid Date: 2023-02-07T00:00:00Z

Links: CVE-2022-46663 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-46663", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T14:39:38.500Z", "dateReserved": "2022-12-06T00:00:00", "datePublished": "2023-02-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-10T07:06:15.448520"}, "descriptions": [{"lang": "en", "value": "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c"}, {"url": "http://www.greenwoodsoftware.com/less/news.609.html"}, {"url": "https://www.openwall.com/lists/oss-security/2023/02/07/7"}, {"name": "[oss-security] 20230207 CVE-2022-46663: less -R filtering bypass", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/02/07/7"}, {"name": "FEDORA-2023-71442d7613", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LR7AUWB34JD4PCW3HHASBEDGGHFWPAQP/"}, {"name": "GLSA-202310-11", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202310-11"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.500Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c", "tags": ["x_transferred"]}, {"url": "http://www.greenwoodsoftware.com/less/news.609.html", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/02/07/7", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230207 CVE-2022-46663: less -R filtering bypass", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/02/07/7"}, {"name": "FEDORA-2023-71442d7613", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LR7AUWB34JD4PCW3HHASBEDGGHFWPAQP/"}, {"name": "GLSA-202310-11", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202310-11"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:less:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A485C64-CC65-4504-8813-9AC601E41820", "versionEndExcluding": "609", "versionStartIncluding": "566", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal."}], "id": "CVE-2022-46663", "lastModified": "2023-11-07T03:55:43.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-07T21:15:09.247", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.greenwoodsoftware.com/less/news.609.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/02/07/7"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LR7AUWB34JD4PCW3HHASBEDGGHFWPAQP/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-11"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2023/02/07/7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3725", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "less-0:590-2.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-06-21T00:00:00Z"}], "bugzilla": {"description": "less: crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal", "id": "2169621", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169621"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.", "A vulnerability was found in less. This flaw allows crafted data to result in \"less -R\" not filtering ANSI escape sequences sent to the terminal."], "name": "CVE-2022-46663", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "less", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "noobaa-core-container", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Out of support scope", "package_name": "devspaces-theia-rhel8-container", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}], "public_date": "2023-02-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-46663\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46663\nhttps://www.openwall.com/lists/oss-security/2023/02/07/7"], "threat_severity": "Moderate"}