CVE-2024-1052

GHSA-vh73-q3rw-qx7w, CVE-2024-1052

go/github.com/hashicorp/boundary

Improper Certificate Validation

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

All versions starting from 0.8.0 before 0.15.0

Upgrade to version 0.15.0 or above.

2024-02-07