See this post from another website for more context.
Important: Make a backup first, at least one user mentioned the update breaking their install
A new version (1.32.0) of Vaultwarden is out with security fixes:
This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.
CVE-2024-39924 Fixed via #4715
CVE-2024-39925 Fixed via #4837
CVE-2024-39926 Fixed via #4737
You must log in or register to comment.
Docker image is already updated.
Not to flame on anyone, and without reading the details on the specific CVE. But, to share as an advice: this reason is why I prefer keepass + syncthing for my needs. Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.
Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.
Absolutely.
My Vaultwarden instance is only accessible via LAN or VPN though, I don’t think I’d want to expose it to the internet.
If that works for you, great. But a self-hosted service offers a lot of convenience for a relatively small amount of added risk. Some things I like about Bitwarden/Vaultwarden:
- can share logins easily w/ my wife, while each having our own passwords
- nice UX for my phone and desktop (prompts for most apps that require passwords)
- web vault so I can access my logins if I don’t have my phone with me (e.g. lost phone while traveling)
And since it’s self-hosted, I’m far less likely to be targeted than the official Bitwarden instance since an attacker would need to know my domain, as well as being able to exploit the vulnerability through my multiple layers (requests go through HAProxy, my VPN, and Caddy before getting to Vaultwarden). I can make it even more secure by putting it inside my VPN (I have mine routed outside my VPN for the web vault access).
Watchtower took care of that for me 👍
this update broke my installation :(. I have not updated it in a while. Now I have to rollback until I fix this. Hope the backup will work. EDIT: It was the reverse proxy. Check the developer notes before updating.
I’ll include a note in the post about making a backup first, sorry about that!
updated a little while ago due to this post… as the release number is not a .1, i wasn’t expecting this addressing cves. thanks :)
Thanks for the post OP, updating my VaultWarden docker instance ASAP.
