Software-update: Vaultwarden 1.33.0
Bitwarden is een wachtwoordmanager die regelmatig op Tweakers voorbijkomt. Het is opensource en heeft ook de mogelijkheid om het op een eigen server te draaien. Ontwikkelaar Daniel García heeft een onofficiële in Rust ontwikkelde implementatie van Bitwarden gemaakt, in eerste instantie onder de naam Bitwarden_rs maar sinds een paar jaar als Vaultwarden. Het gaat alleen om de serverkant van de wachtwoordmanager; voor de clients kan de officiële software van Bitwarden worden gebruikt. Vaultwarden is lichter in gebruik en heeft ook functionaliteit waarvoor bij Bitwarden moet worden betaald, waaronder functionaliteit voor het beheer van wachtwoorden op organisatieniveau. Versie 1.33.0 van Vaultwarden is uitgekomen en hier zijn de volgende veranderingen en verbeteringen in aangebracht:
Security FixesThis release contains security fixes for the following advisories. And we strongly advice to update as soon as possible.
GHSA-f7r5-w49x-gxm3This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.GHSA-h6cc-rc6q-23j4This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.GHSA-j4h8-vch3-f797This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.
GHSA-f7r5-w49x-gxm3This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.GHSA-h6cc-rc6q-23j4This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.GHSA-j4h8-vch3-f797This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.Notable changesUpdated web-vault to v2025.1.1Added partial manage role support for collectionsManager role is converted to a Custom role with either Manage All Collections or per collection.Admins and Owners probably want to check and verify if the rights are still correct.The OCI containers and binaries are signed via GitHub AttestationsThis allows you to verify an OCI image or even the vaultwarden binary located within the OCI image.
Updated web-vault to v2025.1.1Added partial manage role support for collectionsManager role is converted to a Custom role with either Manage All Collections or per collection.Admins and Owners probably want to check and verify if the rights are still correct.The OCI containers and binaries are signed via GitHub AttestationsThis allows you to verify an OCI image or even the vaultwarden binary located within the OCI image.What's ChangedAdd inline-menu-positioning-improvements feature flag in #5313Fix issues when uri match is a string in #5332Add TOTP delete endpoint in #5327fix group issue in send_invite in #5321Update crates and GHA in #5346Refactor the uri match fix and fix ssh-key sync in #5339Add partial role support for manager only using web-vault v2024.12.0 in #5219Fix issue with key-rotate in #5348fix manager role in admin users overview in #5359Prevent new users/members to be stored in db when invite fails in #5350Update crates and web-vault to v2025.1.0 in #5368Allow building with Rust v1.84.0 or newer in #5371rename membership and adopt newtype pattern in #5320build: raise msrv (1.83.0) rust toolchain (1.84.0) in #5374Fix an issue with login with device in #5379refactor: replace static with const for global constants in #5260Add Attestations for containers and artifacts in #5378Fix version detection on bake in #5382Simplify container image attestation in #5387improve admin invite in #5403Add manage role for collections and groups in #5386update web-vault to v2025.1.1 and add /api/devices in #5422Security fixes in #5438only validate SMTP_FROM if necessary in #5442
Add inline-menu-positioning-improvements feature flag in #5313Fix issues when uri match is a string in #5332Add TOTP delete endpoint in #5327fix group issue in send_invite in #5321Update crates and GHA in #5346Refactor the uri match fix and fix ssh-key sync in #5339Add partial role support for manager only using web-vault v2024.12.0 in #5219Fix issue with key-rotate in #5348fix manager role in admin users overview in #5359Prevent new users/members to be stored in db when invite fails in #5350Update crates and web-vault to v2025.1.0 in #5368Allow building with Rust v1.84.0 or newer in #5371rename membership and adopt newtype pattern in #5320build: raise msrv (1.83.0) rust toolchain (1.84.0) in #5374Fix an issue with login with device in #5379refactor: replace static with const for global constants in #5260Add Attestations for containers and artifacts in #5378Fix version detection on bake in #5382Simplify container image attestation in #5387improve admin invite in #5403Add manage role for collections and groups in #5386update web-vault to v2025.1.1 and add /api/devices in #5422Security fixes in #5438only validate SMTP_FROM if necessary in #5442
Source:
Tweakers.net