CVE-2022-33127

Опубликовано: 23 июн. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Ссылки

https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1
Release Notes
Third Party Advisory
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
Patch
Third Party Advisory
https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1
Release Notes
Third Party Advisory
https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:diffy_project:diffy:3.4.1:*:*:*:*:ruby:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 67%

0.0054

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2022-33127

CVSS3: 9.8

ubuntu

больше 3 лет назад

CVE-2022-33127

CVSS3: 7.5

redhat

больше 3 лет назад

CVE-2022-33127

CVSS3: 9.8

debian

больше 3 лет назад

The function that calls the diff tool in Diffy 3.4.1 does not properly ...

GHSA-5ww9-9qp2-x524

CVSS3: 9.8

github

больше 3 лет назад

Improper handling of double quotes in file name in Diffy in Windows environment

EPSS

Процентиль: 67%

0.0054

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo