High severityNVD Advisory· Published Feb 5, 2024· Updated Aug 1, 2024

Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering

CVE-2024-1052

Description

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/boundaryGo	>= 0.8.0, < 0.15.0	0.15.0

Affected products

Hashicorp/Boundaryv5
Range: 0.8.0
HashiCorp/Boundary Enterprisev5
Range: 0.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000