CVE-2022-21223
Command Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
El paquete cocoapods-downloader versiones anteriores a 1.6.2, es vulnerable a la inyección de comandos por medio de una inyección de argumentos hg. Cuando es llamada a la función de descarga (cuando se usa hg), la url (y/o revisión, etiqueta, rama) es pasada al comando hg clone de forma que pueden establecerse flags adicionales. Las flags adicionales pueden ser usadas para llevar a cabo una inyección de comandos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-24 CVE Reserved
- 2022-04-01 CVE Published
- 2023-10-23 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://snyk.io/vuln/SNYK-RUBY-COCOAPODSDOWNLOADER-2414280 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/CocoaPods/cocoapods-downloader/pull/127 | 2022-04-08 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cocoapods Search vendor "Cocoapods" | Cocoapods-downloader Search vendor "Cocoapods" for product "Cocoapods-downloader" | < 1.6.2 Search vendor "Cocoapods" for product "Cocoapods-downloader" and version " < 1.6.2" | - |
Affected
| ||||||