Fix data disclosure on organization endpoints #1003

New Issue

MrUnknownDE · 2026-04-06T01:32:50+02:00

MrUnknownDE commented

2026-04-06 01:32:50 +02:00

Originally created by @BlackDex on 8/11/2024

All users were able to request organizational details from any org, even if they were not a member (anymore). Now it will check if that user is a member of the org or not.
The /organization/<uuid>/keys endpoint returned also the private keys. This should not be the case. Also, according to the upstream server code the endpoint changed, but the clients do not seem to use it. I added it anyway just in case they will in the future.
Also require a valid login before being able to retreve those org keys. Upstream does not do this, but i see no reason why not.

Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925

*Originally created by @BlackDex on 8/11/2024* - All users were able to request organizational details from any org, even if they were not a member (anymore). Now it will check if that user is a member of the org or not. - The `/organization/<uuid>/keys` endpoint returned also the private keys. This should not be the case. Also, according to the upstream server code the endpoint changed, but the clients do not seem to use it. I added it anyway just in case they will in the future. - Also require a valid login before being able to retreve those org keys. Upstream does not do this, but i see no reason why not. Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925

MrUnknownDE closed this issue

2026-04-06 01:32:50 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1003