CVE-2022-24440: 
Ruby vulnerability analysis and mitigation

The cocoapods-downloader package versions before 1.6.0, from 1.6.2 and before 1.6.3 contained a Command Injection vulnerability via git argument injection. The vulnerability was discovered on March 2, 2022 and was assigned CVE-2022-24440. The vulnerability affected the Pod::Downloader.preprocess_options function when using git, where both git and branch parameters were passed to the git ls-remote subcommand in a way that allowed additional flags to be set (Snyk Report).

The vulnerability occurs when calling the Pod::Downloader.preprocess_options function with git parameters. Both the git and branch parameters are passed to the git ls-remote subcommand without proper sanitization, allowing additional command flags to be injected. The vulnerability has a CVSS score of 7.5, indicating high severity. The issue was discovered by Alessio Della Libera of the Snyk Research Team (Snyk Report, Snyk Blog).

If exploited, this vulnerability could allow attackers to execute arbitrary commands on the affected system through command injection. The impact includes potential remote code execution with the privileges of the application running the cocoapods-downloader package (Snyk Report).

The vulnerability was fixed in versions 1.6.0 and 1.6.3. Users should upgrade to these or later versions. The fix involved adding proper validation of command arguments and introducing the -- characters before user-controlled values to prevent argument injection (GitHub PR).

The vulnerability was responsibly disclosed and promptly fixed by the maintainers. The fix was implemented through pull requests #124 and #128 on GitHub, with the community actively participating in the discussion and verification of the fixes (GitHub PR, GitHub PR).