Route2Shell

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions 2.40.0 through 2.40.x Portainer Community Edition versions prior to 2.33.0 **Description** Portainer fails to properly enforce `EndpointSecuritySettings` restrictions on the Docker Swarm service API, allowing non-admin users with Swarm endpoint access to bypass security policies. While restrictions on privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts are enforced during standard container creation, they are not consistently applied to Swarm services. Technical details include: - The 'POST /services/create' endpoint only applies one of seven checks, failing to validate `CapabilityAdd`, `CapabilityDrop`, `Sysctls`, and `Privileges` (Seccomp / AppArmor) in the request body. - The 'POST /services/{id}/update' endpoint applies zero checks, as it does not inspect the request body or call the `fetchEndpointSecuritySettings()` function. - The 'POST /volumes/create' endpoint lacks any `AllowBindMountsForRegularUsers` checks. - A bypass exists where a mount with `Type: "volume"` and `VolumeOptions.DriverConfig.Options` containing `type: "none", o: "bind"` is treated as a bind mount by the Docker daemon, bypassing restrictions. An attacker can use these flaws to gain elevated Linux capabilities (e.g., `CAP SYS ADMIN`), disable syscall filtering or AppArmor, and create bind mounts of host paths (such as `/`), potentially achieving root access on the Swarm manager host. **Recommendations** Update Portainer Community Edition versions 2.33.0 through 2.33.7 to 2.33.8. Update Portainer Community Edition versions 2.39.0 through 2.39.1 to 2.39.2. Update Portainer Community Edition versions 2.40.0 through 2.40.x to 2.41.0. Upgrade all versions prior to 2.33.0 to a supported LTS branch. As a temporary workaround, revoke Swarm endpoint access for non-admin users via Portainer RBAC. Segregate manager and worker nodes using placement constraints to prevent user workloads from running on manager nodes. Block the creation of local-driver volumes that use `type: none` and `o: bind` on untrusted endpoints via a daemon-side allowlist.

**Name of the Vulnerable Software and Affected Versions** changedetection.io versions prior to 0.54.1 **Description** changedetection.io is a web page change detection tool susceptible to Server-Side Request Forgery (SSRF). The `is safe valid url()` function does not properly validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user, or any user when no password is configured, can add a watch for internal network URLs. The application then fetches these URLs server-side, stores the content, and makes it accessible through the web interface, potentially allowing full data exfiltration from internal services. **Recommendations** Update to version 0.54.1 or later to address this vulnerability.