You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When requesting access to a secret, SMTP bounce messages caused by f.i. dead email addresses are swallowed by TeamVault.
Actual Behavior
TeamVault tries to send notifications to all users, adding them all via SMTP TO. When such a mail subsequently bounces because one of the TOs is 505 undeliverable, the sender is notified by whatever mail server is configured for TeamVault directly.
Steps to Reproduce the Problem
Grant a user access to a secret who has some invalid email address configured
Request access to the secret using some as-of-yet unprivileged user with a valid inbox.
Observe that second user's inbox. The bounce message leaks who the requested secret belongs to, including their email addresses.
Specifications
Version: 0.7.3
Platform: //S
Subsystem: mailer-daemon
The text was updated successfully, but these errors were encountered:
Expected Behavior
When requesting access to a secret, SMTP bounce messages caused by f.i. dead email addresses are swallowed by TeamVault.
Actual Behavior
TeamVault tries to send notifications to all users, adding them all via SMTP TO. When such a mail subsequently bounces because one of the TOs is 505 undeliverable, the sender is notified by whatever mail server is configured for TeamVault directly.
Steps to Reproduce the Problem
Specifications
The text was updated successfully, but these errors were encountered: