TLS Certificate Tampering Vulnerability in Boundary Enterprise

CVE-2024-1052

8HIGH

Key Information

Vendor: Hashicorp
Status: Boundary; Boundary Enterprise
Vendor: CVE Published:; 5 February 2024

Summary

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Affected Version(s)

Boundary < 0.15.0

Boundary Enterprise < 0.15.0

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published.
Feb 5, 2024
Vulnerability Reserved.
Jan 29, 2024

Collectors

NVD DatabaseMitre Database