The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.
References
Link | Resource |
---|---|
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1 | Release Notes Third Party Advisory |
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593 | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
No history.
Information
Published : 2022-06-23 17:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-33127
Mitre link : CVE-2022-33127
CVE.ORG link : CVE-2022-33127
JSON object : View
Products Affected
microsoft
- windows
diffy_project
- diffy
CWE