Miggo Logo
Miggo Vulnerability Database
CVE-2024-1052

CVE-2024-1052:
Boundary vulnerable to session hijacking through TLS certificate tampering

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-1052
GHSA ID
GHSA-vh73-q3rw-qx7w
EPSS Score
0.53153%
CWE
CWE-295
Published
2/5/2024
Updated
2/5/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/boundarygo>= 0.8.0, < 0.15.00.15.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes an improper certificate validation issue (CWE-295) where Boundary's TLS certificate validation allowed crafted certificates to hijack sessions. While the root cause appears to be in certificate verification logic that didn't enforce byte-for-byte certificate matching (fixed in 0.15.0), the available data lacks specific code references, commit diffs, or function names from the HashiCorp/Boundary repository. Without concrete evidence of the exact functions handling certificate generation, storage, or validation (e.g., TLS handshake verification routines or TOFU token checks), identifying specific vulnerable functions with high confidence is not possible.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oun**ry *n* *oun**ry *nt*rpris* (“*oun**ry”) is vuln*r**l* to s*ssion *ij**kin* t*rou** TLS **rti*i**t* t*mp*rin*. *n *tt**k*r wit* privil***s to *num*r*t* **tiv* or p*n*in* s*ssions, o*t*in * priv*t* k*y p*rt*inin* to * s*ssion, *n* o*t*in * v*li*

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s *n improp*r **rti*i**t* `v*li**tion` issu* (*W*-***) w**r* *oun**ry's TLS **rti*i**t* `v*li**tion` *llow** *r**t** **rti*i**t*s to *ij**k s*ssions. W*il* t** root **us* *pp**rs to ** in **rti*i**t* v*r