Over on Reddit, there is a post, “PSA: Update Vaultwarden as soon as possible” suggesting updating to rev 1.32.4. Unknown if the three mentioned vulnerabilities are new or recurrences of those mentioned in 1.32.0.
Although Vaultwarden is not a Bitwarden product, I figure it worth mentioning so that our “cousins” who don’t really seem to get the distinction are aware of the need for maintenance.
Seems clear to me based on the language used in the release notes (and also looking at some of the code changes) that the CVEs are in fact new, and not yet published.
Seems the topic continues with the next version 1.32.5 …
Saw that.
… we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future.
One of the flaws with this approach is that releasing the update is in-and-of-itself a huge hint as to Vaultwarden’s vulnerability, kicking off an arms-race between the good guys applying updates and the bad guys exploiting that which has not been updated.
One of the reasons I prefer a cloud vault is that if this were to occur to the Bitwarden vault (again, Vaultwarden is not a Bitwarden product), I would not be impacted by the arms race because Bitwarden would apply the fixes to the cloud environment before releasing the updates for the self-hosters.