CVE-2022-33127

Name of the Vulnerable Software and Affected Versions Diffy versions prior to 3.4.1 Diffy version 3.4.1

Description The function that calls the diff tool in Diffy does not properly handle double quotes in a filename when run in a Windows environment. This allows attackers to execute arbitrary commands via a crafted string.

Recommendations For Diffy versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. For Diffy version 3.4.1, consider disabling the function that calls the diff tool until a patch is available. Restrict access to the diff tool to minimize the risk of exploitation. Avoid using double quotes in filenames when running Diffy in a Windows environment until the issue is resolved.