Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.

INFO

Published Date :

2024-07-01T20:48:06.861Z

Last Modified :

2024-08-19T14:50:18.770Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-38367 vulnerability.

Vendors Products
Cocoapods
  • Trunk.cocoapods.org
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-38367.

URL Resource
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023 cve-icon cve-icon cve-icon
https://evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries cve-icon cve-icon cve-icon
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333 cve-icon cve-icon cve-icon
https://github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact