8.8

CVE-2024-39924

EPSS 0.25%
Veröffentlicht 13.09.2024 18:15:03
Zuletzt bearbeitet 10.07.2025 13:23:50
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dani-garcia ≫ Vaultwarden Version1.30.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.479

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/api/core/emergency_access.rs#L115-L148

Product

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Release Notes

https://www.mgm-sp.com/cve/missing-authentication-check-for-emergency-access

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-39924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39924

EUVD