Boundary Controller Initialization HTTP Request Handling Denial of Service Vulnerability
CVE-2024-12289 Published on December 12, 2024
Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service
Boundary Community Edition and Boundary Enterprise (Boundary) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process.
This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.
Weakness Type
Improper Cleanup on Thrown Exception
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.
Products Associated with CVE-2024-12289
Want to know whenever a new CVE is published for HashiCorp Boundary? stack.watch will email you.
Affected Versions
HashiCorp Boundary:- Version 0.8.0 and below 0.18.2 is affected.
- Version 0.8.0 and below 0.18.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.