trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.
References
Configurations
History
21 Nov 2024, 09:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023 - Vendor Advisory | |
References | () https://evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries - Exploit, Third Party Advisory | |
References | () https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333 - Third Party Advisory | |
References | () https://github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97 - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.2 |
18 Sep 2024, 15:16
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:cocoapods:trunk.cocoapods.org:*:*:*:*:ruby:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.6 |
References | () https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023 - Vendor Advisory | |
References | () https://evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries - Exploit, Third Party Advisory | |
References | () https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333 - Third Party Advisory | |
References | () https://github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97 - Patch | |
CWE | NVD-CWE-Other | |
First Time |
Cocoapods
Cocoapods trunk.cocoapods.org |
02 Jul 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.2 |
02 Jul 2024, 12:09
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
01 Jul 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-01 21:15
Updated : 2024-11-21 09:25
NVD link : CVE-2024-38367
Mitre link : CVE-2024-38367
CVE.ORG link : CVE-2024-38367
JSON object : View
Products Affected
cocoapods
- trunk.cocoapods.org
CWE