CVE-2024-38367

CoacoaPods trunk sessions verification step could be manipulated for owner session hijacking

Severity Score

8.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.

trunk.cocoapods.org es el servidor de autenticación para el administrador de dependencias de CoacoaPods. Antes del commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, el paso de verificación de las sesiones troncales podría manipularse para secuestrar la sesión del propietario. Comprometer la sesión de una víctima resultará en una toma total de control de la cuenta troncal CocoaPods. El actor de amenazas podría manipular las especificaciones de sus pods, interrumpir la distribución de bibliotecas legítimas o causar una interrupción generalizada dentro del ecosistema CocoaPods. Esto se parchó en el lado del servidor con el commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 en octubre de 2023.

*Credits: N/A

CVSS Scores

GitHubv3.1 8.2

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-14 CVE Reserved
2024-07-01 CVE Published
2024-08-19 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-488: Exposure of Data Element to Wrong Session

CAPEC

References (4)

URL	Tag	Source
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023	X_refsource_misc
https://evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#vulnerability-3-achieving-zero-click-account-takeover-by-defeating-email-security-boundaries	X_refsource_misc
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-52gf-m7v9-m333	X_refsource_confirm
https://github.com/CocoaPods/trunk.cocoapods.org/commit/d4fa66f49cedab449af9a56a21ab40697b9f7b97	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
CocoaPods Search vendor "CocoaPods"		CocoaPods Search vendor "CocoaPods" for product "CocoaPods"				*		en		Affected