See this post from another website for more context.
Important: Make a backup first, at least one user mentioned the update breaking their install
A new version (1.32.0) of Vaultwarden is out with security fixes:
This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.
CVE-2024-39924 Fixed via #4715
CVE-2024-39925 Fixed via #4837
CVE-2024-39926 Fixed via #4737
Not to flame on anyone, and without reading the details on the specific CVE. But, to share as an advice: this reason is why I prefer keepass + syncthing for my needs. Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.
Absolutely.
My Vaultwarden instance is only accessible via LAN or VPN though, I don’t think I’d want to expose it to the internet.
If that works for you, great. But a self-hosted service offers a lot of convenience for a relatively small amount of added risk. Some things I like about Bitwarden/Vaultwarden:
And since it’s self-hosted, I’m far less likely to be targeted than the official Bitwarden instance since an attacker would need to know my domain, as well as being able to exploit the vulnerability through my multiple layers (requests go through HAProxy, my VPN, and Caddy before getting to Vaultwarden). I can make it even more secure by putting it inside my VPN (I have mine routed outside my VPN for the web vault access).
Explain how can you use KeePass+Syncthing with 10-50 people (possibly different groups for different passwords) having different sets of access level while maintaining sane ease of use?
The passwords are encrypted in the first place so the security for them is only on the client side.
syncthing also relies on a web server for device discovery, it’s just that you’re probably using someone else’s server instead of hosting your own.
Correct me if I’m wrong, but I also think that Vaultwarden itself doesn’t have access to the unencrypted password database. In that sense it’s E2EE similar to KeePass, the only difference being that KeePass is a desktop app and Vaultwarden a web app.
The syncthing server only gives metadata (no files, only IPs) between the devices, so they can connect to each other. And it’s self-hostable.
Good for you man, I mean it. I would also use Keepass, but I share a lot of logins with my wife, and some with my kids, so having a self-hosted app that can sync seamlessly without added friction, like Bitwarden, is the next best thing.
I might try vaultwarden myself, given that my life partner is always asking me for some platform password I already shared. Is possible to use just on LAN to sync and keep using the passwords from the android client while out of reach? I was just reading about 30-days sessions in the docs. Apparently, yes. That’s huge (for me, I’d like not to expose anything, even with VPN)
Yes, you could run it in LAN only. You could access it via VPN only.
Obviously this adds friction in addition to security, but if that’s fine with you, you can.