GitHub_MCVE-2024-38367CVE-2024-38367
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
30.6%
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victimβs session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cocoapods | trunk.cocoapods.org | * | cpe:2.3:a:cocoapods:trunk.cocoapods.org:*:*:*:*:ruby:*:*:* |
CNA Affected
[
{
"vendor": "CocoaPods",
"product": "CocoaPods",
"versions": [
{
"version": "< d4fa66f49cedab449af9a56a21ab40697b9f7b97",
"status": "affected"
}
]
}
]References
blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries
github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333
github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97
Social References
More
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
30.6%