RubySec

Providing security resources for the Ruby community

CVE-2022-21223 (cocoapods-downloader): Command injection in cocoapods-downloader

ADVISORIES

GEM

cocoapods-downloader

SEVERITY

CVSS v3.x: 8.1 (High)

PATCHED VERSIONS

  • >= 1.6.2

DESCRIPTION

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.