Bjorn Ketelaars <bket@openbsd.org> writes:
> Diff below updates vaultwarden to 1.33.0, which contains 3 security
> fixes:
> - GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not
> have an ADMIN_TOKEN configured and open links or pages you should not
> trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your
> admin environment save.
> - GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone
> was able to gain access to your Vaultwarden Admin Backend. The
> attacker could then change some settings to use sendmail as mail agent
> but adjust the settings in such a way that it would use a shell
> command. It then also needed to craft a special favicon image which
> would have the commands embedded to run during for example sending a
> test email.
> - GHSA-j4h8-vch3-f797: This vulnerability affects all users who have
> multiple Organizations and users which are able to create a new
> organization or have admin or owner rights on at least one
> organization. The attacker does need to know the Organization UUID of
> the Organization it want's to attack or compromise though.
>
> Overview on changes can be found at
> https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.
>
> Run tested on amd64.
>
> OK/comments?
build fine with upcoming lang/rust 1.84.0, so I would prefer updating it
instead of backporting a patch (see my previous mail about vaultwarden).
ok semarie@
--
Sebastien Marie
No comments:
Post a Comment