CVE-2024-38368

Trunk's 'Claim your pod' could be used to obtain un-used pods

Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.

Category

9.3
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.42%
Vendor Advisory cocoapods.org
Affected: CocoaPods CocoaPods
Published at:
Updated at:

References

Link Tags
https://github.com/CocoaPods/CocoaPods/security/advisories/GHSA-j483-qm5c-7hqx third party advisory
https://github.com/CocoaPods/trunk.cocoapods.org/commit/71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 patch
https://blog.cocoapods.org/Claim-Your-Pods product
https://blog.cocoapods.org/CocoaPods-Trunk-RCEs-2023 vendor advisory
https://evasec.webflow.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods#1-taking-unauthorized-ownership-over-orphaned-pods third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-38368?
CVE-2024-38368 has been scored as a critical severity vulnerability.
How to fix CVE-2024-38368?
To fix CVE-2024-38368, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-38368 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-38368 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-38368?
CVE-2024-38368 affects CocoaPods CocoaPods.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.