CVE-2024-39925

Name of the Vulnerable Software and Affected Versions Vaultwarden (formerly Bitwarden RS) version 1.30.3

Description An issue was discovered in Vaultwarden, which lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs, and the departing member retains a copy of the organization key. The application also fails to adequately protect some encrypted data stored on the server, allowing an authenticated user to gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization, provided they know the corresponding organizationId.

Recommendations For Vaultwarden version 1.30.3, consider implementing a proper offboarding process to rotate the shared organization key when a member departs, and ensure that access to encrypted data is properly revoked for departing members. As a temporary workaround, restrict access to the encrypted data stored on the server to minimize the risk of exploitation. Additionally, consider disabling the feature that allows authenticated users to access encrypted data of other organizations until a proper fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.