Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
• GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
• GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.

These are private for now, pending CVE assignment.

What’s Changed

• Update Rust and Crates and GHA by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6843
• hide remember 2fa token by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/6852
• fix(send_invite): invite links by @proofofcopilot in https://github.com/dani-garcia/vaultwarden/pull/6824
• Misc organization fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/6867

New Contributors

• @proofofcopilot made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/6824

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.35.3…1.35.4