Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12aDczLXEzcnctcXg3d84AA5En

Boundary vulnerable to session hijacking through TLS certificate tampering

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Permalink: https://github.com/advisories/GHSA-vh73-q3rw-qx7w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDczLXEzcnctcXg3d84AA5En
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 20 days ago
Updated: 20 days ago


CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-vh73-q3rw-qx7w, CVE-2024-1052
References:

Affected Packages

go:github.com/hashicorp/boundary
Versions: >= 0.8.0, < 0.15.0
Fixed in: 0.15.0