Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some refactoring, optimizations and security fixes #5291

Merged
merged 1 commit into from
Dec 13, 2024
Merged

Some refactoring, optimizations and security fixes #5291

merged 1 commit into from
Dec 13, 2024

Conversation

BlackDex
Copy link
Collaborator

@BlackDex BlackDex commented Dec 13, 2024
edited
Loading

  • Refactored several code to use more modern syntax
  • Made some checks a bit more strict
  • Updated crates

We also fixed a security issue with groups. Admins from any organization were able to modify or delete groups in any other organization if they know the group's uuid. The organization uuid was not used in the query or validated with the group. This is now fixed including some other parts where i changed the checks to be more strict.

@BlackDex
Some refactoring and optimizations
bec475d 
- Refactored several code to use more modern syntax
- Made some checks a bit more strict
- Updated crates

Signed-off-by: BlackDex <[email protected]>
@BlackDex BlackDex requested a review from dani-garcia December 13, 2024 23:35
@dani-garcia dani-garcia merged commit 9cd400d into dani-garcia:main Dec 13, 2024
5 checks passed
@BlackDex BlackDex deleted the general-fixes branch December 15, 2024 11:55
@BlackDex BlackDex changed the title Some refactoring and optimizations Some refactoring, optimizations and security fixes Dec 20, 2024
@gaby
Copy link

gaby commented Dec 20, 2024
edited
Loading

@dani-garcia @BlackDex This should be submitted as a CVE.

https://github.com/dani-garcia/vaultwarden/security/advisories/new

It's basically a priv escalation, among other CWE's that apply like:

  • CWE-269
  • CWE-284
  • CWE-285
  • CWE-287

@BlackDex
Copy link
Collaborator Author

I'm not sure if we really should report a CVE to be honest.
I'm not against it though, but also not sure if this would really add any benefit either.

It will probably take a long time for it to be requested and granted, since for one i have never done that my self before, and what i hear is that it is a long process.

@gaby
Copy link

gaby commented Dec 20, 2024

@BlackDex With GitHub it takes 1-2 days. You do it through that URL I posted above. GitHub will handle adding the entry to the registries, assigning a cve #, etc.

@BlackDex
Copy link
Collaborator Author

Ok. fine by me

@dani-garcia
Copy link
Owner

For future reference, the advisory lives here, but it's private at the moment while waiting for Github to assign it a CVE:

GHSA-g65h-982x-4m5m

I'll update here again once that process is done and the CVE is public.

@dani-garcia
Copy link
Owner

Well that didn't take long at all, advisory and CVE are public at GHSA-g65h-982x-4m5m

@gaby
Copy link

gaby commented Dec 20, 2024

@dani-garcia Thank you 💪

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dani-garcia dani-garcia dani-garcia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BlackDex @gaby @dani-garcia