Go modules package
github.com/hashicorp/boundary
pkg:golang/github.com/hashicorp/boundary
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-7776 | Hig | 7.5 | < 0.19.5 | 0.19.5 | May 4, 2026 | Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the cli | |
| CVE-2024-12289 | — | < 0.18.2 | 0.18.2 | Dec 12, 2024 | Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization | ||
| CVE-2024-1052 | — | >= 0.8.0, < 0.15.0 | 0.15.0 | Feb 5, 2024 | Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) toke | ||
| CVE-2023-0690 | — | >= 0.10.0, < 0.12.0 | 0.12.0 | Feb 8, 2023 | HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This wou | ||
| CVE-2022-36182 | — | <= 0.11.0 | — | Oct 27, 2022 | Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. |
- affected < 0.19.5fixed 0.19.5
Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the cli
- CVE-2024-12289Dec 12, 2024affected < 0.18.2fixed 0.18.2
Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization
- CVE-2024-1052Feb 5, 2024affected >= 0.8.0, < 0.15.0fixed 0.15.0
Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) toke
- CVE-2023-0690Feb 8, 2023affected >= 0.10.0, < 0.12.0fixed 0.12.0
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This wou
- CVE-2022-36182Oct 27, 2022affected <= 0.11.0
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.