CVE-2022-33127 (diffy): Improper handling of double quotes in file name in Diffy in Windows environment

ADVISORIES

CVE-2022-33127 (NVD)
GHSA-5ww9-9qp2-x524
Vendor Advisory

GEM

diffy

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

>= 3.4.1

DESCRIPTION

The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.

https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1

RubySec

CVE-2022-33127 (diffy): Improper handling of double quotes in file name in Diffy in Windows environment

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories