CVE-2022-33127 – diffy

Package

Manager: gem
Name: diffy
Vulnerable Version: >=0 <3.4.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00512 pctl0.65489

Details

Improper handling of double quotes in file name in Diffy in Windows environment The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Metadata

Created: 2022-06-24T00:00:31Z
Modified: 2022-07-05T18:02:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5ww9-9qp2-x524/GHSA-5ww9-9qp2-x524.json
CWE IDs: []
Alternative ID: GHSA-5ww9-9qp2-x524
Finding: F004
Auto approve: 1