[PR #4715] [MERGED] Some fixes for emergency access #7119

New Issue

Closed

opened 2026-03-07 21:11:20 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-07 21:11:20 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/4715
Author: @BlackDex
Created: 7/8/2024
Status: ✅ Merged
Merged: 7/8/2024
Merged by: @dani-garcia

Base: main ← Head: ea_fixes

---

📝 Commits (1)

• c1a01b6 Some fixes for emergency access

📊 Changes

3 files changed (+116 additions, -95 deletions)

View changed files

📝 src/api/core/accounts.rs (+6 -9)
📝 src/api/core/emergency_access.rs (+90 -77)
📝 src/db/models/emergency_access.rs (+20 -9)

📄 Description

• Add missing Headers parameter for some functions This allowed any request from allowing these endpoints by not validating the user correctly.
• Changed the functions to retreive the emergency access record by using the user uuid which calls the endpoint, instead of validating afterwards. This is more secure and prevents the need of an if check.

Fixes https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39924

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/4715 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 7/8/2024 **Status:** ✅ Merged **Merged:** 7/8/2024 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `ea_fixes` --- ### 📝 Commits (1) - [`c1a01b6`](https://github.com/dani-garcia/vaultwarden/commit/c1a01b6bc0588432d02e0f11e9129068791280c7) Some fixes for emergency access ### 📊 Changes **3 files changed** (+116 additions, -95 deletions) <details> <summary>View changed files</summary> 📝 `src/api/core/accounts.rs` (+6 -9) 📝 `src/api/core/emergency_access.rs` (+90 -77) 📝 `src/db/models/emergency_access.rs` (+20 -9) </details> ### 📄 Description - Add missing `Headers` parameter for some functions This allowed any request from allowing these endpoints by not validating the user correctly. - Changed the functions to retreive the emergency access record by using the user uuid which calls the endpoint, instead of validating afterwards. This is more secure and prevents the need of an if check. Fixes https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39924 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-07 21:11:20 -06:00

GiteaMirror closed this issue 2026-03-07 21:11:20 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7119