2101888 – (CVE-2022-33127) CVE-2022-33127 rubygem-diffy: remote code execution from user controlled diff file paths

Bug 2101888 (CVE-2022-33127) - CVE-2022-33127 rubygem-diffy: remote code execution from user controlled diff file paths

Summary: CVE-2022-33127 rubygem-diffy: remote code execution from user controlled diff...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-33127
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2101889
TreeView+	depends on / blocked

Reported:	2022-06-28 16:10 UTC by Marian Rehak
Modified:	2023-04-04 12:19 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-08-30 09:55:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-06-28 16:10:45 UTC

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Reference:

https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
https://bugzilla.suse.com/show_bug.cgi?id=1200896

Comment 3 Product Security DevOps Team 2022-08-30 09:55:49 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-33127

Note You need to log in before you can comment on or make changes to this bug.