Password Auto-fill Vulnerability in Bitwarden by Bitwarden Inc.
CVE-2023-27974

7.5HIGH

Key Information:

Vendor: Bitwarden
Status: Bitwarden
Vendor: CVE Published:; 9 March 2023

What is CVE-2023-27974?

Bitwarden versions up to 2023.2.1 exhibit a security flaw where password auto-fill functionality can be triggered on subdomains that match the second-level domain. For instance, if a password is stored for 'example.com', it could automatically fill in on 'customer-website.example.com'. While Bitwarden claims that this feature does not activate by default, it still raises significant concerns regarding user data exposure and phishing attempts. Users should remain vigilant when using auto-fill features, particularly on sites that resemble legitimate services.

References

https://github.com/bitwarden/clients/releases

https://flashpoint.io/blog/bitwarden-password-pilfering/

https://news.ycombinator.com/item?id=35075861

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Mar 8, 2023