Tugtainer Password Exposure Vulnerability via URL Query Parameters

A vulnerability in Tugtainer, a self-hosted application for automating Docker container updates, allows passwords to be exposed through URL query parameters instead of the HTTP request body. This issue affects Tugtainer versions prior to 1.16.1. As a result, passwords can be logged in server access logs and potentially revealed through browser history, Referer headers, and proxy logs.

Impact

This vulnerability leads to the exposure of passwords in server access logs, which could be accessed through log file backups or via a compromised server. Additionally, using the GET method to transmit passwords could result in leakage through browser history and Referer headers.

Reproduction

To reproduce this vulnerability, first set a password using the Tugtainer API. Then, log in by sending a POST request to the login endpoint with the password included as a URL query parameter. This will trigger the vulnerability by exposing the password in the server access logs. Alternatively, the GET method can be used to log in, which also exposes the password through browser history.

Remediation

Users can update to Tugtainer version 1.16.1 or later, where this vulnerability has been patched.