CVE-2022-48624: 
NixOS vulnerability analysis and mitigation

A vulnerability was identified in the less utility (CVE-2022-48624) affecting versions prior to 606. The vulnerability exists in the close_altfile() function in filename.c, where shell_quote calls for LESSCLOSE are omitted, potentially leading to security issues when processing files (Red Hat Portal, CVE Mitre).

The vulnerability specifically affects the close_altfile() function in filename.c of the less utility. The issue stems from the omission of shell_quote calls for LESSCLOSE, a command line used to invoke optional functionality. This vulnerability was addressed in version 606 of the software through the addition of proper shell quoting for filenames when invoking LESSCLOSE (Github Commit).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has received a CVSS score of 8.4 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

The vulnerability has been fixed in less version 606 and later. Various distributions have released security updates to address this vulnerability. For example, Red Hat has released updates for their Enterprise Linux platform, and Debian has addressed this in version 487-0.1+deb10u1 for Debian 10 (Debian LTS, Red Hat Advisory).