Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-38368
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-01 Jul, 2024 | 21:05
Updated At-02 Aug, 2024 | 04:04
Rejected At-
▼CVE Numbering Authority (CNA)
Trunk's 'Claim your pod' could be used to obtain un-used pods

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.

Affected Products
Vendor
CocoaPods
Product
CocoaPods
Versions
Affected
  • < 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
Problem Types
TypeCWE IDDescription
CWECWE-668CWE-668: Exposure of Resource to Wrong Sphere
Type: CWE
CWE ID: CWE-668
Description: CWE-668: Exposure of Resource to Wrong Sphere
Metrics
VersionBase scoreBase severityVector
3.19.3CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Version: 3.1
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx
x_refsource_CONFIRM
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
x_refsource_MISC
https://blog.cocoapods.org/Claim-Your-Pods
x_refsource_MISC
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
x_refsource_MISC
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods
x_refsource_MISC
Hyperlink: https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
Resource:
x_refsource_MISC
Hyperlink: https://blog.cocoapods.org/Claim-Your-Pods
Resource:
x_refsource_MISC
Hyperlink: https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
Resource:
x_refsource_MISC
Hyperlink: https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
cocoapods
Product
cocoapods
CPEs
  • cpe:2.3:a:cocoapods:cocoapods:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx
x_refsource_CONFIRM
x_transferred
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
x_refsource_MISC
x_transferred
https://blog.cocoapods.org/Claim-Your-Pods
x_refsource_MISC
x_transferred
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
x_refsource_MISC
x_transferred
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://blog.cocoapods.org/Claim-Your-Pods
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods
Resource:
x_refsource_MISC
x_transferred
Details not found