CVE-2024-38367
Published: 01 July 2024
Summary
CVE-2024-38367 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability in Cocoapods Trunk.Cocoapods.Org. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-38367 affects trunk.cocoapods.org, the authentication server for the CocoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, a flaw in the trunk sessions verification step allowed manipulation that enabled owner session hijacking. The issue is tracked under CWE-488 with a CVSS 3.1 score of 8.2.
An unauthenticated remote attacker can exploit the weakness by manipulating session verification to hijack a victim's CocoaPods trunk session. Successful compromise grants full control of the account, permitting the attacker to alter pod specifications, interfere with legitimate library distribution, or trigger broader disruption across the CocoaPods ecosystem.
The vulnerability was addressed server-side by the referenced commit deployed in October 2023. Public advisories and the CocoaPods security notice direct administrators to ensure their environments rely on the patched trunk.cocoapods.org instance; no client-side changes are required.
EPSS scores remain low, with a current value of 0.0499 and a peak of 0.0512.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37281
Vulnerability details
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk…
more
account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing authentication server (T1190), leading to session hijacking and compromise of cloud-like developer accounts on CocoaPods trunk (T1586.003), facilitating supply chain compromise by allowing manipulation of pod specifications and insertion of malicious code (T1195.002).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.