Описание
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.
A flaw was found in Vaultwarden. An authenticated manager, even when explicitly denied management privileges for a collection, could still perform various unauthorized management operations on that collection. This improper access control could lead to unauthorized information disclosure and data modification within the affected collection.
Отчет
This is an IMPORTANT flaw in Vaultwarden, an unofficial Bitwarden compatible server. A manager with manage=false for a collection can still perform management operations on collections they have access to. Red Hat only ships Vaultwarden in community products - EPEL and Fedora
Дополнительная информация
Статус:
EPSS
8.3 High
CVSS3
Связанные уязвимости
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, when a Manager has manage=false for a given collection, they can still perform several management operations as long as they have access to the collection. This issue has been patched in version 1.35.4.
Vaultwarden is an unofficial Bitwarden compatible server written in Ru ...
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role
EPSS
8.3 High
CVSS3