Login Sign Up

CVE-2023-27974

7.5 HIGH

📋 TL;DR

This vulnerability in Bitwarden password managers allows auto-filling of saved passwords when visiting subdomains that share the same second-level domain as a stored credential. For example, a password saved for 'example.com' could be auto-filled on 'malicious.example.com'. This affects all Bitwarden users who have saved passwords and use the auto-fill feature.

💻 Affected Systems

Products:
  • Bitwarden Password Manager
Versions: All versions through 2023.2.1
Operating Systems: Windows, macOS, Linux, Android, iOS
Default Config Vulnerable: ✅ No
Notes: The 'Auto-fill on page load' feature must be enabled for exploitation. This is disabled by default according to the vendor.

📦 What is this software?

Bitwarden by Bitwarden

View all CVEs affecting Bitwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create malicious subdomains to trick Bitwarden into auto-filling sensitive credentials, leading to credential theft and account compromise.

🟠

Likely Case

Phishing campaigns using legitimate-looking subdomains could harvest credentials from unsuspecting users who rely on auto-fill functionality.

🟢

If Mitigated

With auto-fill disabled or careful user verification of domains, the risk is significantly reduced to minimal credential exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (visiting a malicious subdomain) but no authentication to Bitwarden itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.3.0 and later

Vendor Advisory: https://github.com/bitwarden/clients/releases

Restart Required: No

Instructions:

1. Open Bitwarden application or browser extension. 2. Check for updates in settings. 3. Update to version 2023.3.0 or newer. 4. Restart browser if using extension.

🔧 Temporary Workarounds

Disable Auto-fill on Page Load

all

Turn off the automatic password filling feature that triggers this vulnerability.

Use Manual Password Filling

all

Disable all auto-fill features and manually select passwords from the vault when needed.

🧯 If You Can't Patch

  • Disable 'Auto-fill on page load' in Bitwarden settings immediately
  • Educate users to manually verify domains before allowing auto-fill

🔍 How to Verify

Check if Vulnerable:

Check Bitwarden version in settings. If version is 2023.2.1 or earlier, you are vulnerable if auto-fill is enabled.

Check Version:

Check version in Bitwarden application settings or browser extension details

Verify Fix Applied:

Update to version 2023.3.0 or later and confirm auto-fill behavior no longer matches subdomains.

📡 Detection & Monitoring

Log Indicators:

  • Unusual auto-fill events on unfamiliar subdomains

Network Indicators:

  • Requests to suspicious subdomains that match saved credential patterns

SIEM Query:

Not applicable - client-side vulnerability

📊 Metadata

CVE ID: CVE-2023-27974
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: March 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON