CVE-2024-38366
CRITICALCVSS v3
10
CRITICAL
EPSS Score
58.5%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.
Technical Details
- Published
- 7/1/2024
Frequently Asked Questions
What is CVE-2024-38366?
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.
Is CVE-2024-38366 actively exploited?
Active exploitation of CVE-2024-38366 has not been confirmed. The EPSS score is 58.5%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2024-38366?
CVE-2024-38366 has a CVSS v3 base score of 10 (CRITICAL severity).
Is CVE-2024-38366 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.