VYPR
High severityNVD Advisory· Published Apr 1, 2022· Updated Sep 17, 2024

Command Injection

CVE-2022-24440

Description

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cocoapods-downloaderRubyGems
< 1.6.01.6.0
cocoapods-downloaderRubyGems
>= 1.6.2, < 1.6.31.6.3

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.