Vaultwarden 1.32.0 released with several security fixes

necrevistonnezr

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 Fixed via #4715
CVE-2024-39925 Fixed via #4837
CVE-2024-39926 Fixed via #4737

joseph

I guess you mean 1.32.0 Fixed title

necrevistonnezr

BTW the security flaws were discovered as part of CAOS, a code review program run by the German Federal Office for Information Security: https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Codeanalyse-KeePass-Vaultwarden_241014.html (German)

As part of the project for the "Code Analysis of Open Source Software" (CAOS 3.0), the Federal Office for Information Security (BSI) examined the password managers KeePass and Vaultwarden for their security characteristics. Two security vulnerabilities with the "high" rating were identified in Vaultwarden.

In most cases, cyber attacks can be attributed to errors in the program code of the affected applications. The CAOS project helps to identify and eliminate common vulnerabilities and risks. The BSI checked the source code of the password managers KeePass and Vaultwarden for possible defects with mgm security partners GmbH. The BSI has communicated vulnerabilities found in the process to the developers concerned as part of a responsible disclosure procedure. They have analyzed the weak points and have already reacted. The now published results are a combination of source code review, dynamic analysis and interface analysis in the areas of network interfaces, protocols and standards.

In cooperation with mgm security partners GmbH, the BSI started the project "Code Analysis of Open Source Software" (CAOS) in 2021. The task of the project is the vulnerability analysis with the aim of increasing the security of open source software. The project is intended to support developers in the creation of secure software applications and increase confidence in open source software. The focus is on applications that are increasingly used by authorities or private individuals. This new publication is the result of the successor project "Code Analysis of Open Source Software" (CAOS 3.0).

In order to increase the security of open source software in the future, further code analyses are planned. The project for the "Code Analysis of Open Source Software" will be continued. The results will also be published on the BSI website after a responsible disclosure procedure. The procedure allows developers a reasonable period of time to fix security vulnerabilities before publishing them.

crazybrad

@necrevistonnezr Thank you for providing this information. It is really nice to know that although I am not a German taxpayer they are watching my back as well. Much appreciated. @joseph And as usual, Cloudron team is on the ball patching quickly so any exposure is minimized. Well done!