Home

Description

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7.

PUBLISHED Reserved 2025-06-06 | Published 2025-06-17 | Updated 2025-06-18 | Assigner GitHub_M




MEDIUM: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 2.27.7
affected

< 2.31.0
affected

References

github.com/...tainer/security/advisories/GHSA-h5jw-8c32-xfv6

github.com/...ommit/384cb53c64af78af8e1ac7ef5b0f91bad530e989

github.com/...ommit/b767dcb27ed253b423facd2e04ef971985950fd3

cve.org (CVE-2025-49593)

nvd.nist.gov (CVE-2025-49593)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.