CVE-2024-56335 – Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden

https://notcve.org/view.php?id=CVE-2024-56335

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's account has admin or owner permissions in an unrelated organization. 3. The attacker knows the target organization's UUID and the target group's UUID. • https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m • CWE-269: Improper Privilege Management CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-287: Improper Authentication •