Home > Vulnerability Database > CVE-2024-38367

Mend.io Vulnerability Database

CVE-2024-38367

Good to know:

Date: July 1, 2024

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.

Language: Ruby

Severity Score

8.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38367

Url: https://evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries

Url: https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023

Url: https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333

Url: https://github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97

Url: https://www.mend.io/vulnerability-database/CVE-2024-38367

Severity Score

8.2

Weakness Type (CWE)

Exposure of Data Element to Wrong Session

CWE-488

Top Fix

Upgrade Version

Upgrade to version d4fa66f49cedab449af9a56a21ab40697b9f7b97

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38367

Good to know:

Date: July 1, 2024

Language: Ruby

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?