The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.
References
Link | Resource |
---|---|
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1 | Release Notes Third Party Advisory |
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593 | Patch Third Party Advisory |
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1 | Release Notes Third Party Advisory |
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593 | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 07:07
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1 - Release Notes, Third Party Advisory | |
References | () https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593 - Patch, Third Party Advisory |
Information
Published : 2022-06-23 17:15
Updated : 2024-11-21 07:07
NVD link : CVE-2022-33127
Mitre link : CVE-2022-33127
CVE.ORG link : CVE-2022-33127
JSON object : View
Products Affected
microsoft
- windows
diffy_project
- diffy
CWE