CVE-2024-38366

Name of the Vulnerable Software and Affected Versions: CocoaPods (affected versions not specified)

Description: The issue concerns the CocoaPods dependency manager, specifically the authentication server trunk.cocoapods.org. A problem was found in the part of the trunk that verifies whether a user has a real email address on signup. It used an rfc-822 library that executes a shell command to validate the email domain MX records validity via a DNS MX lookup. This lookup could be manipulated to execute a command on the trunk server, giving root access to the server and infrastructure. The issue was patched server-side in September 2023 and triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.