Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01d3c5LTlxcDIteDUyNM4AAs80

Improper handling of double quotes in file name in Diffy in Windows environment

The function that calls the diff tool in versions of Diffy prior to 3.4.1 does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Permalink: https://github.com/advisories/GHSA-5ww9-9qp2-x524
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01d3c5LTlxcDIteDUyNM4AAs80
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-5ww9-9qp2-x524, CVE-2022-33127
References: Repository: https://github.com/samg/diffy
Blast Radius: 37.2

Affected Packages

rubygems:diffy
Dependent packages: 209
Dependent repositories: 6,198
Downloads: 58,927,289 total
Affected Version Ranges: < 3.4.1
Fixed in: 3.4.1
All affected versions: 1.1.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.4.0
All unaffected versions: 3.4.1, 3.4.2