Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.
{ "nvd_published_at": "2024-02-05T21:15:11Z", "cwe_ids": [ "CWE-295" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-05T23:06:56Z" }