Please update Vaultwarden as soon as possible if you did not do it yet.
You must log in or # to comment.
The blog post contains an interesting tineline. Apparently, the first fix was not sufficient. So if you have updated Vaultwaren before November 18, update it again.
Copy of the timeline:
- End of October 2024: ERNW assesses Vaultwarden for the customer.
- November 08, 2024: ERNW discloses the vulnerabilities to the Vaultwarden team.
- November 10, 2024: Fix and release of Vaultwarden v1.32.4.
- November 11, 2024: ERNW retests the software and identifies that the fix is not sufficient.
- November 11, 2024: Public merge with fix and request for feedback by the Vaultwarden team.
- November 12, 2024: ERNW acknowledges that the fix is complete.
- November 18, 2024: Release of Vaultwarden v1.32.5.
Am I understanding correctly that if users had 2FA, the vulnerability would be prevented from gaining access?
Correct. Only users without 2fa were in danger.