[3.21] community/vaultwarden: security upgrade to 1.33.0
All threads resolved!
All threads resolved!
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0
Security Fixes
This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.
-
GHSA-f7r5-w49x-gxm3
This vulnerability is only possible if you do not have anADMIN_TOKEN
configured and open links or pages you should not trust anyway. Ensure you have anADMIN_TOKEN
configured to keep your admin environment save. -
GHSA-h6cc-rc6q-23j4
This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. -
GHSA-j4h8-vch3-f797
This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.
Notable changes
- Updated web-vault to v2025.1.1
- Added partial manage role support for collections
- Manager role is converted to a Custom role with either Manage All Collections or per collection.
Admins and Owners probably want to check and verify if the rights are still correct. - The OCI containers and binaries are signed via GitHub Attestations
This allows you to verify an OCI image or even thevaultwarden
binary located within the OCI image.
These vulnerabilities affects
Merge request reports
Activity
Filter activity
added tag:security v3.21 labels
- Resolved by omni
"Admins and Owners probably want to check and verify if the rights are still correct." - should a
post-upgrade
notice be added?
added 9 commits
-
b7c51aca...a06fd7cf - 8 commits from branch
alpine:3.21-stable
- be64c52e - community/vaultwarden: security upgrade to 1.33.0
-
b7c51aca...a06fd7cf - 8 commits from branch
Please register or sign in to reply