CVE-2022-33127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

June 23, 2022 (updated June 29, 2022)

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment. This allows attackers to execute arbitrary commands via a crafted string.

References

github.com/advisories/GHSA-5ww9-9qp2-x524
github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG
github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
nvd.nist.gov/vuln/detail/CVE-2022-33127

Code Behaviors & Features

Detect and mitigate CVE-2022-33127 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →