CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12289 – Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service
https://notcve.org/view.php?id=CVE-2024-12289
12 Dec 2024 — Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.... • https://discuss.hashicorp.com/t/hcsec-2024-28-boundary-controller-incorrectly-handles-http-requests-on-initialization-which-may-lead-to-a-denial-of-service • CWE-460: Improper Cleanup on Thrown Exception •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1052 – Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering
https://notcve.org/view.php?id=CVE-2024-1052
05 Feb 2024 — Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application. Boundary and Boundary Enterprise (“Boundary”) es vulnerable al secuestro de sesión mediante la manipulación del cert... • https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458 • CWE-295: Improper Certificate Validation •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0690 – Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
https://notcve.org/view.php?id=CVE-2023-0690
08 Feb 2023 — HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with... • https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907 • CWE-311: Missing Encryption of Sensitive Data CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36182 – Hashicorp Boundary Clickjacking
https://notcve.org/view.php?id=CVE-2022-36182
07 Oct 2022 — Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. Hashicorp Boundary v0.8.0 es vulnerable a Clickjacking, que permite la interceptación de credenciales de inicio de sesión, la redirección de usuarios a sitios maliciosos o hacer que los usuarios realicen acciones maliciosas en el sitio. Hashicorp Boundary versions prior to 0.11.0 suffer from a click... • https://owasp.org/www-community/attacks/Clickjacking • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36130
https://notcve.org/view.php?id=CVE-2022-36130
01 Sep 2022 — HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2. HashiCorp Boundary versiones hasta 0.10.1, no llevaba a cabo apropiadamente las comprobaciones de integridad de los datos para garantizar que los recursos estuvieran asociados a los ámbitos correctos, lo que permitía una potencial escalada de privilegios para usu... • https://discuss.hashicorp.com • CWE-345: Insufficient Verification of Data Authenticity •