Is CVE-2024-38366 in the CISA KEV catalog?

No. CVE-2024-38366 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2024-38366?

CVE-2024-38366 has a CVSS v3 base score of 10.0 (CRITICAL).

What is the EPSS score for CVE-2024-38366?

CVE-2024-38366 has an EPSS score of 17.65% (97th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2024-38366

CRITICALEPSS 97th pctl

10.0

CVSS v3

NVD

Description

trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.

CWE-74

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

Impact

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploit Intelligence

17.65%probability of exploitation in 30 days

97thpercentile

Very high risk: more likely to be exploited than 97% of all known CVEs.

References

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.