Command injection in cocoapods-downloader
Published: April 02, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2022-24440 (NVD)
- GHSA: GHSA-7627-mp87-jf6q
- Vendor Advisory: https://github.com/CocoaPods/cocoapods-downloader/pull/124
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
UNAFFECTED VERSIONS
>= 1.6.0, < 1.6.2
PATCHED VERSIONS
= 1.6.0
>= 1.6.3
DESCRIPTION
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.