Miggo Logo
Miggo Vulnerability Database
CVE-2022-33127

CVE-2022-33127: Improper handling of double quotes in file name in Diffy in Windows environment

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-33127
GHSA ID
GHSA-5ww9-9qp2-x524
EPSS Score
0.65369%
CWE
-
Published
6/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
diffyrubygems< 3.4.13.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the Windows-specific code path in Diff::Diff#diff that constructed a command string using sprintf with user-controlled filenames wrapped in quotes. This approach used shell execution (via backticks) which doesn't properly handle argument escaping, allowing attackers to break out of the filename quoting and inject commands. The patch replaced this with Open3.capture3 which safely passes arguments without shell interpolation. The commit diff clearly shows removal of the vulnerable Windows-specific code block, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *un*tion t**t **lls t** *i** tool in v*rsions o* *i**y prior to *.*.* *o*s not prop*rly **n*l* *ou*l* quot*s in * *il*n*m* w**n run in * Win*ows *nvironm*nt. T*is *llows *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* * *r**t** strin*.

Reasoning

T** vuln*r**ility st*mm** *rom t** Win*ows-sp**i*i* *o** p*t* in `*i**::*i**#*i**` t**t *onstru*t** * *omm*n* strin* usin* `sprint*` wit* us*r-*ontroll** `*il*n*m*s` wr*pp** in quot*s. T*is *ppro*** us** s**ll *x**ution (vi* ***kti*ks) w*i** *o*sn't