You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
mend-bolt-for-githubbot
changed the title
CVE-2022-24440 (High) detected in cocoapods-downloader-1.5.1.gem
CVE-2022-24440 (High) detected in cocoapods-downloader-1.5.1.gem - autoclosed
Jun 14, 2022
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2022-24440 - High Severity Vulnerability
Vulnerable Library - cocoapods-downloader-1.5.1.gem
Library home page: https://rubygems.org/gems/cocoapods-downloader-1.5.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/cocoapods-downloader-1.5.1.gem
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-24440
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24440
Release Date: 2022-04-01
Fix Resolution: cocoapods-downloader - 1.6.0,1.6.3
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: