Portainer Community Edition HTTP Header Leakage Vulnerability to Malicious Container Registries

A vulnerability exists in Portainer Community Edition prior to version 2.31.0, and in Portainer Enterprise Edition prior to version 2.31.0, allowing for the unintentional leakage of HTTP headers, including registry authentication credentials and Portainer session tokens, to a registered malicious container registry. This could occur if a Portainer administrator is persuaded to register the malicious registry or if an existing registry is compromised.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive HTTP header information, including authentication credentials and session tokens, to a potentially malicious container registry.

Reproduction

To reproduce this vulnerability, an administrator must register a malicious container registry in a vulnerable version of Portainer. Once the registry is registered, or if an existing registry is taken over, the vulnerability can be triggered by sending a request that includes sensitive HTTP headers such as 'X-Registry-Auth', 'Private-Token', or session tokens. The registered malicious registry will receive the leaked headers, demonstrating the vulnerability.

Remediation

Users are advised to update to Portainer Community Edition or Business Edition version 2.31.0 or later. For those using Portainer LTS, version 2.27.7 or later should be installed.