CVE-2022-24440

HIGH

cocoapods-downloader <1.6.0, 1.6.2-1.6.3 - Command Injection

Title source: llm

Description

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References (3)

[Third Party Advisory] https://snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414278

[Patch, Third Party Advisory] https://github.com/CocoaPods/cocoapods-downloader/pull/124

[Patch, Third Party Advisory] https://github.com/CocoaPods/cocoapods-downloader/pull/128

Scores

CVSS v3 8.1

EPSS 0.0070

EPSS Percentile 72.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-88

Status published

Products (3)

cocoapods/cocoapods-downloader 1.6.2

cocoapods/cocoapods-downloader < 1.6.0

rubygems/cocoapods-downloader 0 - 1.6.0RubyGems

Published Apr 01, 2022

Tracked Since Feb 18, 2026