cocoapods-downloader 0.8.0

2 security vulnerabilities found in version 0.8.0

Command injection in cocoapods-downloader

high severity CVE-2022-24440
high severity CVE-2022-24440
Patched versions: = 1.6.0, >= 1.6.3
Unaffected versions: >= 1.6.0, < 1.6.2

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Command injection in cocoapods-downloader

high severity CVE-2022-21223
high severity CVE-2022-21223
Patched versions: >= 1.6.2

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.