CVE-2024-1052

Improper Certificate Validation in go/github.com/hashicorp/boundary

Identifiers

GHSA-vh73-q3rw-qx7w, CVE-2024-1052

Package Slug

go/github.com/hashicorp/boundary

Vulnerability

Improper Certificate Validation

Description

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Affected Versions

All versions starting from 0.8.0 before 0.15.0

Solution

Upgrade to version 0.15.0 or above.

Last Modified

2024-02-06

source