SECURITY ALERT: Potential credential leak using get_ciphers() #34

[kiorky]

We received a very partial / scarce / incomplete security report leading to think that Client.get_ciphers() could / MAY lead to a credential leak using multiple calls when the cache is already warmed up by other users obtained in previous calls.

This is strange, because as in the documentation it's clearly indicated here that you have to handle any cache invalidation then new login whenever you have too, it should have been to the consuming code to ensure such ciphers are wiped during simultaneous access: https://github.com/corpusops/bitwardentools/blob/main/USAGE.md#security-note

Please also see the DISCLAIMER (https://github.com/corpusops/bitwardentools?tab=readme-ov-file#disclaimer) section of the projet README for all details.

Please also note that I handle this security alert by issuing a new and last release just before archiving and ending this project as i do not have at this time the due resources, specially concerning the new EU CRA regulation.

As a current mitigation: please at least do not use this library in a multiuser context and preferably wait for the new release.
To mitigate the issue, i ll issue a new release and update this ticket and README in due time.

[kiorky]

RELEASE 2.0.0 is on it's way (https://pypi.org/project/bitwardentools/2.0.0/).
Please upgrade as soon as you can.
I keep this bug open for users to have a chance to see it.