CVE-2024-56335: 
NixOS vulnerability analysis and mitigation

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. The vulnerability (CVE-2024-56335) was discovered and disclosed on December 20, 2024. The vulnerability affects versions prior to 1.32.7 and allows attackers to update or delete groups from an organization under specific conditions. This vulnerability is only applicable for servers that have enabled the ORG_GROUPS_ENABLED setting, which is disabled by default (GitHub Advisory).

The vulnerability requires three specific conditions to be exploited: 1) The attacker must have a user account on the server, 2) The attacker's account must have admin or owner permissions in an unrelated organization, and 3) The attacker must know the target organization's UUID and the target group's UUID. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L. The vulnerability is associated with multiple CWE categories including CWE-269 (Improper Privilege Management), CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), and CWE-287 (Improper Authentication) (NVD).

The vulnerability can lead to two primary impact scenarios: 1) Denial of service, where the attacker can limit users from accessing the organization's data by removing their membership from the group, and 2) Privilege escalation, where if the attacker is part of the victim organization, they can escalate their own privileges by joining a group they wouldn't normally have access to. For attackers that aren't part of the organization, this vulnerability shouldn't lead to any possible plain-text data exfiltration as all the data is encrypted client-side (GitHub Advisory).

The vulnerability has been patched in Vaultwarden version 1.32.7, and users are recommended to update as soon as possible. For users unable to update immediately, two workarounds are available: 1) Disabling ORG_GROUPS_ENABLED, which would disable groups functionality on the server, or 2) Disabling SIGNUPS_ALLOWED, which would prevent attackers from creating new accounts on the server (GitHub Advisory).