CVE-2022-24440

Name of the Vulnerable Software and Affected Versions cocoapods-downloader versions prior to 1.6.0 cocoapods-downloader versions 1.6.2 through 1.6.3

Description The issue concerns Command Injection via git argument injection. When the Pod::Downloader.preprocess options function is called and git is used, both the git and branch parameters are passed to the git ls-remote subcommand in a way that allows additional flags to be set, which can be used to perform a command injection.

Recommendations For versions prior to 1.6.0, update to version 1.6.0 or later. For versions 1.6.2 through 1.6.3, update to version 1.6.3 or later. As a temporary workaround, consider restricting the use of the Pod::Downloader.preprocess options function when using git until a patch is available.