Numerous widely used iOS and macOS apps could be compromised in supply chain attacks with a trio of vulnerabilities in the CocoaPods dependency manager, all of which have already been remediated in October, The Hacker News reports.
Most severe of the identified flaws is the maximum severity insecure email verification workflow issue, tracked as CVE-2024-38366, which could be leveraged to facilitate arbitrary code execution on the Trunk server and eventually allow package manipulation and replacement, according to a report from E.V.A. Information Security.
Another critical vulnerability, tracked as CVE-2024-38368, could be exploited to allow package takeovers, source code tampering, and malicious code injections, while a separate high-severity email address verification bug, tracked as CVE-2024-38367, could be used to lure targets into clicking malicious verification links and allow developer session token access.
"We have found that almost every pod owner is registered with their organizational email on the Trunk server, which makes them vulnerable to our zero-click takeover vulnerability," researchers said.