The vulnerability of dependency managers for Swift and Objective-C CocoaPods, related to the provision of data elements during an erroneous session, allows a perpetrator to intercept the owner’s session and take control of another person’s CocoaPods trunk account.

🗓️ 29 Jul 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 2 Views

CocoaPods vulnerability lets remote attackers intercept a user session and seize trunk account.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2024-38367	2 Jul 202416:00	–	circl
CNNVD	CocoaPods Security Vulnerability	1 Jul 202400:00	–	cnnvd
CVE	CVE-2024-38367	1 Jul 202420:48	–	cve
Cvelist	CVE-2024-38367 CoacoaPods trunk sessions verification step could be manipulated for owner session hijacking	1 Jul 202420:48	–	cvelist
EUVD	EUVD-2024-37281	3 Oct 202520:07	–	euvd
NVD	CVE-2024-38367	1 Jul 202421:15	–	nvd
OSV	CVE-2024-38367 CoacoaPods trunk sessions verification step could be manipulated for owner session hijacking	1 Jul 202420:48	–	osv
Positive Technologies	PT-2024-5209 · Cocoapods · Cocoapods	1 Jul 202400:00	–	ptsecurity
The Hacker News	Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks	1 Jul 202416:12	–	thn
Vulnrichment	CVE-2024-38367 CoacoaPods trunk sessions verification step could be manipulated for owner session hijacking	1 Jul 202420:48	–	vulnrichment

Source	Link
blog	www.blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023
evasec	www.evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods
xakep	www.xakep.ru/2024/07/03/cocoapods-problems/
web	www.web.nvd.nist.gov/view/vuln/detail

29 Jul 2024 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 27.3

CVSS 38.2

EPSS0.11042

CocoaPods remote attack session interception trunk account data exchange