CVE Vulnerabilities for Bitwarden CLI
| CVE | Published | Severity | Details | Exploitability | Impact | Vector |
|---|---|---|---|---|---|---|
| CVE‑2023‑38840 | 2023‑08‑15 17:15:10 | MEDIUM (6) | Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process. | 2 | 4 | LOCAL |
| CVE‑2023‑27974 | 2023‑03‑09 00:15:10 | HIGH (8) | Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by default. | 4 | 4 | NETWORK |
| CVE‑2023‑27706 | 2023‑06‑09 19:15:09 | HIGH (7) | Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes. | 2 | 5 | LOCAL |
| CVE‑2018‑25081 | 2023‑03‑09 00:15:10 | HIGH (8) | Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default. | 4 | 4 | NETWORK |
View OS-specific patching for:
Windows Mac Linux
Logos, products, trade names, and company names are all the property of their respective trademark holders.
The above listing includes products that Lavawall® monitors through public information and/or proprietary statistical analysis.
Although we do have a partner relationship with some of the listed products and companies, they do not necessarily endorse Lavawall® or have integrations with our systems.