Executive Summary

This vulnerability exists in Portainer Community Edition versions from 2.33.0 to before 2.33.8 and 2.39.1. It is a missing authorization flaw in the Custom Template file endpoint (GET /api/custom_templates/{id}/file).

Any authenticated user can exploit this vulnerability by enumerating sequential integer IDs to read the file content of any custom template, bypassing Resource Control access restrictions.

Since template files may contain sensitive environment-specific information such as connection strings, API tokens, or registry credentials, this unauthorized access can expose data that administrators would not expect standard users to see.

The vulnerability is fixed in versions 2.33.8 and 2.39.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in custom template files, such as connection strings, API tokens, and registry credentials.

An attacker with authenticated access could read these sensitive details, potentially leading to further compromise of containerized environments or connected systems.

Because the vulnerability bypasses Resource Control access restrictions, it undermines the intended security controls and could facilitate privilege escalation or lateral movement within the environment.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Portainer Community Edition to version 2.33.8 or 2.39.1, where the missing authorization issue in the Custom Template file endpoint is fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions.

Since template files may contain environment-specific sensitive information such as connection strings, API tokens, or registry credentials, unauthorized access to these files could lead to exposure of sensitive data.

Exposure of such sensitive information could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls over access to sensitive data and credentials.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the Custom Template file endpoint via GET requests to /api/custom_templates/{id}/file by enumerating sequential integer IDs.

To detect exploitation attempts on your network or system, you can monitor HTTP GET requests targeting the /api/custom_templates/{id}/file endpoint, especially those with sequential integer IDs.

Suggested commands to detect such activity include:

• Using grep on web server logs to find suspicious GET requests: grep -E 'GET /api/custom_templates/[0-9]+/file' /var/log/nginx/access.log
• Using curl to test access to specific template files (replace {id} with integers): curl -i -H "Authorization: Bearer <token>" https://<portainer-host>/api/custom_templates/{id}/file
• Using network monitoring tools like Wireshark or tcpdump to filter HTTP GET requests to the vulnerable endpoint.

Note that this vulnerability requires authentication, so monitoring authenticated user activity on this endpoint is important.

Useful 0 Not Useful 0