Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

INFO

Published Date :

2024-07-01T20:42:38.281Z

Last Modified :

2024-08-02T04:04:25.256Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-38366 vulnerability.

Vendors Products
Cocoapods
  • Cocoapods
  • Trunk.cocoapods.org
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-38366.

URL Resource
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023 cve-icon cve-icon
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#2-remote-code-execution-on-the-cocoapods-trunk-server cve-icon cve-icon
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-x2x4-g675-qg7c cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact