Vulnerabilities > CVE-2022-33127 - Unspecified vulnerability in Diffy Project Diffy 3.4.1

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

diffy-project

NVD

Published: 2022-06-23

Updated: 2022-06-29

Summary

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Vulnerable Configurations

Part	Description	Count
Application	Diffy_Project Diffy Project Diffy 3.4.1	1
OS	Microsoft Microsoft Windows -	1

References

https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1