GHSA-vh73-q3rw-qx7w, CVE-2024-1052
go/github.com/hashicorp/boundary
Improper Certificate Validation
Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.
All versions starting from 0.8.0 before 0.15.0
Upgrade to version 0.15.0 or above.
2024-02-07
source |