The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
{ "nvd_published_at": "2022-04-01T18:15:00Z", "cwe_ids": [ "CWE-74", "CWE-88" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-04-04T21:58:52Z" }