One of the detected errors allowed the attacker to introduce code into applications that can access the confidential information of users, such as credit card data, medical records, personal data, and more. This could lead to malicious activities like extortion, fraud, blackmail, or corporate espionage. Companies using vulnerable applications were at risk of facing legal and reputation issues.
Three vulnerabilities were discovered related to an insecure email verification mechanism used to authenticate developers of individual modules. When a developer introduced an email address associated with their module, the Trunk server would respond by sending a link to that address. Clicking on the link granted access to the account. The attacker could modify the URL in the email to redirect to a malicious server.
The following vulnerabilities were uncovered:
- CVE-2024-38366 (CVSS estimate: 10.0) allows arbitrary code execution on the Trunk server, enabling manipulation or replacement of packages.
- CVE-2024-38367 (CVSS: 8.0) involves an insecure email verification mechanism that can be manipulated to send links to the attacker’s server, potentially intercepting developers’ account data. This vulnerability could also be exploited for Zero-Click attacks by altering the http header and exploiting incorrectly configured email security tools.