HashiCorp Boundary update for Go
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-41717 |
| CWE-ID | CWE-770 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Boundary Server applications / Directory software, identity management |
| Vendor | HashiCorp |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU70334
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-41717
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
MitigationInstall update from vendor's website.
Vulnerable software versionsBoundary: 0.1.0 - 0.11.1
CPE2.3- cpe:2.3:a:hashicorp:boundary:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:boundary:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:boundary:0.1.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
