漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request
Vulnerability Description
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Bitwarden 授权问题漏洞
Vulnerability Description
Bitwarden server是美国Bitwarden公司开源的一款密码管理服务器软件。 Bitwarden 2026.6.0之前版本存在授权问题漏洞,该漏洞源于未验证POST /auth-requests/admin-request请求体中的电子邮件是否属于已认证调用者,可能导致低权限组织成员获取其他用户的保险库密钥和受害者作用域访问令牌,造成受害者保险库密钥泄露和账户接管。
CVSS Information
N/A
Vulnerability Type
N/A