Security fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate’s updated and other minor security enhancements
These are private for now, pending CVE assignment.
https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0
Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/
Ooof! I think I have a pretty robust network security deployment. I’m just not convinced 100%, and therefor I am prohibited from deploying any self hosted password manager. Too risky. I know there are 1000s of people who, and kudos to you for being able to sleep at night. Your security must rival the SCIFs.
What makes you think self hosted password managers are any riskier than a cloud hosted one?
Yeah, mines not even exposed to the internet. I’d consider that more secure than cloud based bitwarden.