CVE Vulnerabilities

CVE-2024-1052

Improper Certificate Validation

Published: Feb 05, 2024 | Modified: Feb 15, 2024
CVSS 3.x
8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Boundary Hashicorp 0.8.0 *

Potential Mitigations

References