CVE-2024-39924

Name of the Vulnerable Software and Affected Versions Vaultwarden (formerly Bitwarden RS) version 1.30.3

Description A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault while bypassing the necessary wait period.

Recommendations For Vaultwarden (formerly Bitwarden RS) version 1.30.3, consider disabling the emergency access feature until a patch is available to prevent privilege escalation. Restrict access to the endpoint responsible for altering the metadata of an emergency access to minimize the risk of exploitation. Avoid using the emergency access feature in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.