CVE-2024-12289: 
NixOS vulnerability analysis and mitigation

Boundary Community Edition and Boundary Enterprise ('Boundary') contains a vulnerability (CVE-2024-12289) where the system incorrectly handles HTTP requests during the initialization of the Boundary controller. The vulnerability affects versions 0.8.0 up to 0.18.1 and has been fixed in versions 0.16.4, 0.17.3, and 0.18.2. The issue is specifically present during the controller initialization phase, which typically only lasts for milliseconds during the startup process (HashiCorp Discussion).

During the initialization of the Boundary controller, certain functionalities including logging are gated or paused while Boundary completes its initialization process. The vulnerability stems from an internal error in request handling where HTTP requests that should be dropped during initialization are instead returned to the Boundary server as errors, potentially causing the server to terminate. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (HashiCorp Discussion).

The vulnerability can cause the Boundary server to terminate prematurely or allow an attacker to perform a denial of service attack. The impact is limited to the initialization phase of the Boundary controller, which typically only lasts for milliseconds during the startup process (HashiCorp Discussion).

Organizations should evaluate the risk associated with this issue and upgrade to Boundary versions 0.16.4, 0.17.3, 0.18.2, or newer. HashiCorp recommends referring to their Upgrading Boundary documentation for general guidance and version-specific upgrade notes (HashiCorp Discussion).