CVE-2022-24440 (cocoapods-downloader): Command injection in cocoapods-downloader

ADVISORIES

CVE-2022-24440 (NVD)
GHSA-7627-mp87-jf6q
Vendor Advisory

GEM

cocoapods-downloader

SEVERITY

CVSS v3.x: 8.1 (High)

UNAFFECTED VERSIONS

>= 1.6.0, < 1.6.2

PATCHED VERSIONS

= 1.6.0
>= 1.6.3

DESCRIPTION

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

https://github.com/CocoaPods/cocoapods-downloader/pull/128

RubySec