HashiCorp Boundary
By the Year
In 2024 there have been 1 vulnerability in HashiCorp Boundary with an average score of 8.0 out of ten. Last year Boundary had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Boundary in 2024 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.90.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 1 | 8.00 |
| 2023 | 1 | 7.10 |
| 2022 | 2 | 8.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Boundary vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent HashiCorp Boundary Security Vulnerabilities
Boundary and Boundary Enterprise (Boundary) is vulnerable to session hijacking through TLS certificate tampering
CVE-2024-1052
8 - High
- February 05, 2024
Boundary and Boundary Enterprise (Boundary) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.
Improper Certificate Validation
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted
CVE-2023-0690
7.1 - High
- February 08, 2023
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI workers disk. This issue is fixed in version 0.12.0.
Missing Encryption of Sensitive Data
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which
CVE-2022-36182
6.1 - Medium
- October 27, 2022
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
Clickjacking
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes
CVE-2022-36130
9.9 - Critical
- September 01, 2022
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2.
Insufficient Verification of Data Authenticity
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for HashiCorp Boundary or by HashiCorp? Click the Watch button to subscribe.
