x/vulndb: potential Go vuln in github.com/hashicorp/boundary: GHSA-vh73-q3rw-qx7w

GoVulnBot commented 9 months ago

In GitHub Security Advisory GHSA-vh73-q3rw-qx7w, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/boundary	0.15.0	>= 0.8.0, < 0.15.0

Cross references:

Module github.com/hashicorp/boundary appears in issue #1090 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/boundary appears in issue #1898 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/boundary
      versions:
        - introduced: 0.8.0
          fixed: 0.15.0
      vulnerable_at: 0.14.3
      packages:
        - package: github.com/hashicorp/boundary
summary: Boundary vulnerable to session hijacking through TLS certificate tampering
cves:
    - CVE-2024-1052
ghsas:
    - GHSA-vh73-q3rw-qx7w
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-1052
    - web: https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458
    - advisory: https://github.com/advisories/GHSA-vh73-q3rw-qx7w

gopherbot commented 8 months ago

Change https://go.dev/cl/567817 mentions this issue: data/excluded: batch add 15 excluded reports

gopherbot commented 5 months ago

Change https://go.dev/cl/592778 mentions this issue: data/reports: unexclude 80 reports

golang / vulndb

x/vulndb: potential Go vuln in github.com/hashicorp/boundary: GHSA-vh73-q3rw-qx7w #2532