CVE-2024-38368
CRITICALtrunk.cocoapods.org < 2023-09-22 - Unauthorized Pod Ownership Claim via Orphaned Pods
Title source: llmDescription
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx
Patch x_refsource_misc
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
Product x_refsource_misc
https://blog.cocoapods.org/Claim-Your-Pods
Vendor Advisory x_refsource_misc
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
Third Party Advisory x_refsource_misc
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods
Scores
CVSS v3
9.3
EPSS
0.1473
EPSS Percentile
96.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-668
Status
published
Products (1)
cocoapods/trunk.cocoapods.org
< 2023-09-22
Published
Jul 01, 2024
Tracked Since
Feb 18, 2026