Server-Side Request Forgery Risk in Bitwarden Server by Bitwarden
CVE-2020-15879

7.5HIGH

Key Information:

Vendor: Bitwarden
Status: Server
Vendor: CVE Published:; 21 July 2020

What is CVE-2020-15879?

The Bitwarden Server version 1.35.1 is susceptible to a Server-Side Request Forgery (SSRF) vulnerability. This arises from the software's failure to properly validate specific IPv6 addresses—including those beginning with fc, fd, fe, or ff, as well as the :: address—alongside certain IPv4 addresses like 0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16. As a result, attackers can exploit this oversight to send requests originating from the server, potentially enabling unauthorized actions or data exposure.

References

https://github.com/bitwarden/server/pull/827

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 21, 2020
Vulnerability Reserved
Jul 21, 2020