Security fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate’s updated and other minor security enhancements
These are private for now, pending CVE assignment.
https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0
Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/
I’m in the camp that believes I’m not that interesting of a target, Bitwarden is a much better target than my Vaultwarden instance. Do I believe that makes me invisible to attackers, nope; if someone is targeting you, relying on an external company doesn’t protect you, it just shifts the risks to them on paper.
Plus, if some is genuinely out to get you, they won’t waste time finding a vaultwarden zeroday, they’ll just bust out the wrenches…
That’s getting to be an old reference but still 100% accurate!