Vulnerabilities > CVE-2022-33127 - Unspecified vulnerability in Diffy Project Diffy 3.4.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 1 |
References
- https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1
- https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1
- https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
- https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593