csaf_certbund - wid-sec-w-2024-3743

WID-SEC-W-2024-3743

Vulnerability from csaf_certbund - Published: 2024-12-22 23:00 - Updated: 2025-01-21 23:00

Summary

Vaultwarden: Schwachstelle ermöglicht Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Vaultwarden ist eine alternative Implementierung der Server API des Bitwarden Passwort-Managers.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Vaultwarden ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Vaultwarden ist eine alternative Implementierung der Server API des Bitwarden Passwort-Managers.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Vaultwarden ausnutzen, um seine Privilegien zu erh\u00f6hen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3743 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3743.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3743 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3743"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla vom 2024-12-22",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333590"
      },
      {
        "category": "external",
        "summary": "GitHub vom 2024-12-22",
        "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-0ABEE701C3 vom 2025-01-15",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-0abee701c3"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2025-90C1787FFB vom 2025-01-15",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-90c1787ffb"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-3DFF292265 vom 2025-01-21",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-3dff292265"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-4CB7637C98 vom 2025-01-21",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-4cb7637c98"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2025-CD95859E4B vom 2025-01-21",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-cd95859e4b"
      }
    ],
    "source_lang": "en-US",
    "title": "Vaultwarden: Schwachstelle erm\u00f6glicht Privilegieneskalation",
    "tracking": {
      "current_release_date": "2025-01-21T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-22T09:44:24.448+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3743",
      "initial_release_date": "2024-12-22T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-22T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-01-15T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2025-01-21T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Fedora aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.32.7",
                "product": {
                  "name": "Open Source Vaultwarden \u003c1.32.7",
                  "product_id": "T039961"
                }
              },
              {
                "category": "product_version",
                "name": "1.32.7",
                "product": {
                  "name": "Open Source Vaultwarden 1.32.7",
                  "product_id": "T039961-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaultwarden:vaultwarden:1.32.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Vaultwarden"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-56335",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Vaultwarden. Dieser Fehler existiert wegen einer unsachgem\u00e4\u00dfen Privilegien- und Zugriffsverwaltung sowie einer unsachgem\u00e4\u00dfen Authentifizierung und Autorisierung. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erh\u00f6hen."
        }
      ],
      "product_status": {
        "known_affected": [
          "74185",
          "T039961"
        ]
      },
      "release_date": "2024-12-22T23:00:00.000+00:00",
      "title": "CVE-2024-56335"
    }
  ]
}

CVE-2024-56335 (GCVE-0-2024-56335)

Vulnerability from cvelistv5 – Published: 2024-12-20 20:15 – Updated: 2024-12-24 15:57

Title

Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden

Summary

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's account has admin or owner permissions in an unrelated organization. 3. The attacker knows the target organization's UUID and the target group's UUID. Note that this vulnerability is related to group functionality and as such is only applicable for servers who have enabled the `ORG_GROUPS_ENABLED` setting, which is disabled by default. This attack can lead to different situations: 1. Denial of service, the attacker can limit users from accessing the organization's data by removing their membership from the group. 2. Privilege escalation, if the attacker is part of the victim organization, they can escalate their own privileges by joining a group they wouldn't normally have access to. For attackers that aren't part of the organization, this shouldn't lead to any possible plain-text data exfiltration as all the data is encrypted client side. This vulnerability is patched in Vaultwarden `1.32.7`, and users are recommended to update as soon as possible. If it's not possible to update to `1.32.7`, some possible workarounds are: 1. Disabling `ORG_GROUPS_ENABLED`, which would disable groups functionality on the server. 2. Disabling `SIGNUPS_ALLOWED`, which would not allow an attacker to create new accounts on the server.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-269 - Improper Privilege Management
CWE-284 - Improper Access Control
CWE-285 - Improper Authorization
CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

https://github.com/dani-garcia/vaultwarden/securi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	dani-garcia	vaultwarden	Affected: < 1.32.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56335",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-24T15:57:37.356878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-24T15:57:45.407Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vaultwarden",
          "vendor": "dani-garcia",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.32.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker\u0027s account has admin or owner permissions in an unrelated organization. 3. The attacker knows the target organization\u0027s UUID and the target group\u0027s UUID. Note that this vulnerability is related to group functionality and as such is only applicable for servers who have enabled the `ORG_GROUPS_ENABLED` setting, which is disabled by default. This attack can lead to different situations: 1. Denial of service, the attacker can limit users from accessing the organization\u0027s data by removing their membership from the group. 2. Privilege escalation, if the attacker is part of the victim organization, they can escalate their own privileges by joining a group they wouldn\u0027t normally have access to. For attackers that aren\u0027t part of the organization, this shouldn\u0027t lead to any possible plain-text data exfiltration as all the data is encrypted client side. This vulnerability is patched in Vaultwarden `1.32.7`, and users are recommended to update as soon as possible. If it\u0027s not possible to update to `1.32.7`,  some possible workarounds are: 1. Disabling `ORG_GROUPS_ENABLED`, which would disable groups functionality on the server. 2. Disabling `SIGNUPS_ALLOWED`, which would not allow an attacker to create new accounts on the server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-20T20:15:35.854Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m"
        }
      ],
      "source": {
        "advisory": "GHSA-g65h-982x-4m5m",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56335",
    "datePublished": "2024-12-20T20:15:35.854Z",
    "dateReserved": "2024-12-19T18:39:53.612Z",
    "dateUpdated": "2024-12-24T15:57:45.407Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2024-3743

CVE-2024-56335 (GCVE-0-2024-56335)

Tags

Sightings

Nomenclature