Miggo Logo

CVE-2022-24440: Command injection in cocoapods-downloader

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.83949%
Published
4/2/2022
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cocoapods-downloaderrubygems< 1.6.01.6.0
cocoapods-downloaderrubygems>= 1.6.2, < 1.6.31.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how preprocess_options in git.rb handled user-supplied git and branch parameters. The patch introduced validation to block inputs starting with -- or containing --, confirming the absence of this check in the original code. The CWE-88 (Argument Injection) mapping and the commit diff directly implicate this function. The test case added in git_spec.rb also targets this function's insecure input handling, reinforcing its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *o*o*po*s-*ownlo***r ***or* *.*.*, *rom *.*.* *n* ***or* *.*.* *r* vuln*r**l* to *omm*n* Inj**tion vi* *it *r*um*nt inj**tion. W**n **llin* t** Po*::*ownlo***r.pr*pro**ss_options *un*tion *n* usin* *it, *ot* t** *it *n* *r*n** p*r*m*t*rs

Reasoning

T** vuln*r**ility st*ms *rom *ow `pr*pro**ss_options` in `*it.r*` **n*l** us*r-suppli** `*it` *n* `*r*n**` p*r*m*t*rs. T** p*t** intro*u*** v*li**tion to *lo*k inputs st*rtin* wit* `--` or *ont*inin* ` --`, *on*irmin* t** **s*n** o* t*is ****k in t**