Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed — not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0.
Portainer Community Edition versions 2.33.0 to 2.33.7, 2.39.0-2.39.1, and 2.40.x accept JWT tokens via URL query parameters, exposing them in logs and browser history. This vulnerability allows attackers to harvest authentication tokens and gain full user privileges for up to 8 hours.
يقبل Portainer Community Edition رموز JWT عبر معاملات URL الاستعلام (?token=) بالإضافة إلى رأس Authorization القياسي. يتم تسجيل عناوين URL في سجلات الوصول لخادم الوكيل العكسي والسجل والرؤوس HTTP Referer، مما يسمح بحصاد الرموز من قبل أي شخص لديه إمكانية الوصول إلى هذه السجلات. الرمز المكشوف يمنح جميع امتيازات المستخدم حتى انتهاء صلاحيته (الافتراضي 8 ساعات).
Portainer Community Edition versions 2.33.0 to 2.33.7, 2.39.0-2.39.1, and 2.40.x accept JWT tokens via URL query parameters, exposing them in logs and browser history. This vulnerability allows attackers to harvest authentication tokens and gain full user privileges for up to 8 hours.
Upgrade Portainer Community Edition to version 2.33.8, 2.39.2, 2.41.0 or later immediately. Review access logs and browser history for exposed tokens. Implement network-level controls to restrict Portainer access. Rotate any potentially compromised authentication tokens. Configure reverse proxies to sanitize query parameters from logs.
قم بترقية Portainer Community Edition إلى الإصدار 2.33.8 أو 2.39.2 أو 2.41.0 أو أحدث فوراً. راجع سجلات الوصول والسجل للتحقق من الرموز المكشوفة. طبق عناصر تحكم على مستوى الشبكة لتقييد الوصول إلى Portainer. أعد تعيين أي رموز مصادقة قد تكون مكشوفة. قم بتكوين وكلاء عكسية لتنظيف معاملات الاستعلام من السجلات.