CVE-2024-39924

EPSS 13.06%
Veröffentlicht 13.09.2024 18:15:03
Zuletzt bearbeitet 10.07.2025 13:23:50
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dani-garcia ≫ Vaultwarden Version1.30.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	13.06%	0.958

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/api/core/emergency_access.rs#L115-L148

Product

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Release Notes

https://www.mgm-sp.com/cve/missing-authentication-check-for-emergency-access

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-39924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39924

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-39924