CVE-2024-38368 — CRITICAL (9.3)

Q: How severe is CVE-2024-38368?

CVE-2024-38368 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2024-38368?

Check the references section above for vendor advisories and patch information. Affected products include: Cocoapods Trunk.Cocoapods.Org.

Vulnerability Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.

CVSS Score

9.3

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Cocoapods	Trunk.Cocoapods.Org	< 2023-09-22

Related Weaknesses (CWE)

CWE-668

References

https://blog.cocoapods.org/Claim-Your-PodsProduct
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023Vendor Advisory
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoThird Party Advisory
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqxThird Party Advisory
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7fPatch
https://blog.cocoapods.org/Claim-Your-PodsProduct
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023Vendor Advisory
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoThird Party Advisory
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqxThird Party Advisory
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7fPatch

FAQ

What is CVE-2024-38368?

CVE-2024-38368 is a vulnerability with a CVSS score of 9.3 (CRITICAL). trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods...

How severe is CVE-2024-38368?

CVE-2024-38368 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-38368?

Check the references section above for vendor advisories and patch information. Affected products include: Cocoapods Trunk.Cocoapods.Org.