CVE-2022-33127
CRITICALdiffy < 3.4.1 - OS Command Injection via Filename with Double Quotes
Title source: llmDescription
The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1
Patch, Third Party Advisory x_refsource_misc
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
Scores
CVSS v3
9.8
EPSS
0.0054
EPSS Percentile
67.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
diffy_project/diffy
3.4.1
rubygems/diffy
0 - 3.4.1RubyGems
Published
Jun 23, 2022
Tracked Since
Feb 18, 2026