vaultwarden 1.33.0 #1575

sjorge · 2025-01-26T08:48:17Z

Seems there are a lot of releases as of late with security fixes :(

Security Fixes

This release contains security fixes for the following advisories.

GHSA-f7r5-w49x-gxm3
This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.
GHSA-h6cc-rc6q-23j4
This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.
GHSA-j4h8-vch3-f797
This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.

sjorge requested review from citrus-it, hadfl and oetiker as code owners January 26, 2025 08:48

vaultwarden 1.33.0

3fd009f

hadfl force-pushed the vw branch from ee7aa9c to 3fd009f Compare January 27, 2025 10:17

hadfl approved these changes Jan 27, 2025

View reviewed changes

citrus-it approved these changes Jan 27, 2025

View reviewed changes

citrus-it merged commit 071e3c6 into omniosorg:master Jan 27, 2025
1 check passed