Skip to content

Untrusted device should be disallowed from being an introducer #8920

New issue
New issue
Closed
Closed
Untrusted device should be disallowed from being an introducer#8920
Labels
bugA problem with current functionality, as opposed to missing functionality (enhancement)frozen-due-to-ageIssues closed and untouched for a long time, together with being locked for discussion
Milestone
v1.23.6
@calmh

Description

@calmh
calmh
opened on Jun 3, 2023

A vulnerability report was submitted to the effect that the untrusted flag doesn't properly prevent combining with introducer, thus allowing the supposedly untrusted device to introduce trusted devices into the cluster and causing a data leak. Since this is a misconfiguration that needs to happen on the trusted side, I decided it's low impact enough to be published as a public issue while we're fixing it.

This may also apply to other settings, such as auto-accepting folders which makes no sense from an untrusted device.

Originally reported by @vibs29

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugA problem with current functionality, as opposed to missing functionality (enhancement)frozen-due-to-ageIssues closed and untouched for a long time, together with being locked for discussion

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions