CVE-2024-38366

CRITICAL

CVSS v3

10

CRITICAL

EPSS Score

58.5%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

Technical Details

Published
7/1/2024

Frequently Asked Questions

What is CVE-2024-38366?

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

Is CVE-2024-38366 actively exploited?

Active exploitation of CVE-2024-38366 has not been confirmed. The EPSS score is 58.5%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2024-38366?

CVE-2024-38366 has a CVSS v3 base score of 10 (CRITICAL severity).

Is CVE-2024-38366 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.