CVE-2024-12289 — Vulnetix

CVE-2024-12289 PUBLISHED CVSS 5.900000095367432 MEDIUM

Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.

EPSS 0.39% · 60.6th percentile

Risk Scores

CVSS 3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.39%

60.6th percentile

Affected Products

Vendor	Product	Versions
github.com	hashicorp/boundary	0, 0
hashicorp	boundary	0.8.0, 0.17.0, 0.18.0
HashiCorp	Boundary Enterprise	0.8.0, 0.8.0
HashiCorp	Boundary	0.8.0, 0.8.0

Exploit Intelligence

CIRCL seen: CVE-2024-12289 (circl-sighting)
CIRCL seen: CVE-2024-12289 (circl-sighting)
https://discuss.hashicorp.com/t/hcsec-2024-28-boundary-controller-incorrectly-handles-http-requests-on-initialization-which-may-lead-to-a-denial-of-service (circl)

Timeline

Dec 12, 2024 CVE Published
Dec 12, 2024 PoC Published
Dec 13, 2024 EPSS Score
Dec 13, 2024 PoC Published
Dec 30, 2024 EPSS Score
Jan 15, 2025 EPSS Score
Feb 1, 2025 EPSS Score
Feb 18, 2025 EPSS Score
Mar 6, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Apr 9, 2025 EPSS Score
Apr 25, 2025 EPSS Score

References

Open in Interactive Console →