mapper icon indicating copy to clipboard operation
mapper copied to clipboard
verified publisher icon lyft

fix: command Injection in cocoapods-downloader

Open imhunterand opened this issue 1 year ago • 0 comments

The project lyft/mapper was used cocoapods before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

require 'cocoapods-downloader'

options = { :git => '--upload-pack=touch ./lyft/mapper;', :branch => 'foo'}
options = Pod::Downloader.preprocess_options(options)

# ls -la

CVE-2022-24440 CWE-74 CWE-88 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

imhunterand avatar Apr 27 '24 00:04 imhunterand