Описание
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.6.0 (исключая)
Одно из
cpe:2.3:a:cocoapods:cocoapods-downloader:*:*:*:*:*:*:*:*
cpe:2.3:a:cocoapods:cocoapods-downloader:1.6.2:*:*:*:*:*:*:*
EPSS
Процентиль: 72%
0.00698
Низкий
8.1 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-88
Связанные уязвимости
EPSS
Процентиль: 72%
0.00698
Низкий
8.1 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-88