Home > Vulnerability Database > CVE-2024-39924

Mend.io Vulnerability Database

CVE-2024-39924

Date: September 12, 2024

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.

Language: RUST

Severity Score

8.8

Related Resources (5)

Url: https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/api/core/emergency_access.rs#L115-L148

Url: https://www.mgm-sp.com/cve/missing-authentication-check-for-emergency-access

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-39924

Url: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Url: https://www.mend.io/vulnerability-database/CVE-2024-39924

Severity Score

8.8

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Incorrect Default Permissions

CWE-276

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-39924

Date: September 12, 2024

Language: RUST

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?