Cyber Resilience

CVE-2024-38366

CriticalPublic PoC

Published: 01 July 2024

Published
01 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5846 98.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38366 is a critical-severity Injection (CWE-74) vulnerability in Cocoapods Trunk.Cocoapods.Org. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-38366 is a remote code execution vulnerability in trunk.cocoapods.org, the authentication server for the CocoaPods dependency manager. The affected component is the email verification logic used during user signup, which relied on an rfc-822 library that performed DNS MX record validation by executing a shell command; improper handling of the lookup response allowed command injection (CWE-74). The issue carried a CVSS 3.1 score of 10.0.

An unauthenticated attacker could exploit the flaw by manipulating the DNS MX response during email verification to execute arbitrary commands on the trunk server, obtaining root-level access to the infrastructure. Successful exploitation would let the attacker modify any Podspec stored in trunk and would have enabled supply-chain compromise of CocoaPods users; the incident resulted in a full user-session reset after discovery.

The vulnerability was fixed server-side in September 2023 via commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3. Public advisories and the CocoaPods security announcement describe the root cause and confirm the patch was applied before the CVE publication date. The associated EPSS score rose from a low baseline to a peak of 0.59, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain…

more

MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

CVE-2024-38366 allows RCE via command injection in the email verification process on the public-facing CocoaPods trunk server, enabling exploitation of public-facing applications (T1190) and software supply chain compromise by permitting arbitrary writes to Podspecs (T1195.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010.000: Hardware

Affected Assets

cocoapods
trunk.cocoapods.org
≤ 2023-09-22

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References