Tugtainer vulnerable to Password Exposure via URL Query Parameter

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

通过GET请求中的查询字符串导致的信息暴露

Tugtainer 安全漏洞

Tugtainer是Eugene Savin个人开发者的一个具有web UI的自动化Docker容器更新应用程序。 Tugtainer 1.16.1之前版本存在安全漏洞，该漏洞源于密码身份验证机制通过URL查询参数传输密码，可能导致密码被记录在服务器访问日志、浏览器历史记录、Referer标头和代理日志中。

N/A

N/A