📢 频道公告欢迎关注我的推特： @bboysoulcn对频道有任何意见欢迎发邮件：📧 bboysoulcn@gmail.comhttps://tg.bboy.apphttps://tg.bboy.app/posts/12645https://tg.bboy.app/posts/12645Tue, 16 Jun 2026 01:23:45 GMT<div class="tgme_widget_message_forwarded_from accent_color">Forwarded from <a class="tgme_widget_message_forwarded_from_name" href="https://t.me/MiaoTonyChannel/21324" target="_blank" rel="noopener"><span><i class="emoji" style="background-image:url('//telegram.org/img/emoji/40/F09F90B1.png')"><b>🐱</b></i>MiaoTony's Box | 困困困 zzz</span></a> (<span class="tgme_widget_message_forwarded_from_author">MiaoTony <i class="emoji" style="background-image:url('//telegram.org/img/emoji/40/F09F90B1.png')"><b>🐱</b></i></span>)</div><a href="/search/result?q=%23%E4%BB%8A%E5%A4%A9%E5%8F%88%E7%9C%8B%E4%BA%86%E5%95%A5" title="#今天又看了啥">#今天又看了啥</a> <a href="/search/result?q=%23security" title="#security">#security</a> <a href="/search/result?q=%23CVE" title="#CVE">#CVE</a> <a href="/search/result?q=%23docker" title="#docker">#docker</a><br /><b>CVE-2026-33590 — Portainer 默认配置不安全导致宿主机接管</b><br />CVSS 3.1 <b>8.2 HIGH</b><br />Portainer &lt; 2.38.0 的 Endpoint <mark class="highlight">Security</mark> 默认配置过度宽松，允许普通用户（非管理员）在创建容器时启用 bind mount、privileged mode、host namespace 等高危能力，攻击者可借此挂载宿主机文件系统或以特权模式运行容器，实现从容器逃逸到宿主机的完全接管。<br /><div class="tg-expandable"> <input type="checkbox" id="expand-0-0" class="tg-expandable__checkbox" aria-label="Toggle hidden content" aria-controls="expand-0-0-content" /> <div id="expand-0-0-content" class="tg-expandable__content"><b>默认开启的危险配置项（共 7 项）</b>：<br />- allowBindMountsForRegularUsers — 允许挂载宿主机任意路径<br />- allowPrivilegedModeForRegularUsers — 允许特权模式<br />- allowHostNamespaceForRegularUsers — 允许共享宿主机 PID/IPC namespace<br />- allowDeviceMappingForRegularUsers — 允许访问宿主机设备<br />- allowContainerCapabilitiesForRegularUsers — 允许选择 root capabilities<br />- allowSysctlSettingForRegularUsers — 允许 sysctl 操作<br />- allowStackManagementForRegularUsers — 允许 compose stack 管理<br /><br /><b>PoC</b>：以普通用户身份认证 → 找到本地 Docker endpoint → 用 alpine 镜像 bind mount 宿主机 /etc/ → 直接读取 /etc/shadow。<br /><br /><b>修复</b>：升级至 2.38.0（STS）或 2.39.0（LTS），以上配置项默认改为 false（仅 stack 管理保留 true）。升级后需手动检查 Docker <mark class="highlight">Security</mark> Settings。</div> <label for="expand-0-0" class="tg-expandable__toggle"><span class="sr-only">Toggle hidden content</span></label> </div><br /><br /><b>说人话：</b><br /><div class="tg-expandable"> <input type="checkbox" id="expand-0-1" class="tg-expandable__checkbox" aria-label="Toggle hidden content" aria-controls="expand-0-1-content" /> <div id="expand-0-1-content" class="tg-expandable__content">Portainer 老版本有个问题：<b>管理员给你建了个普通账号，你能自己开个容器把整台宿主机的硬盘挂进去</b>，然后随便翻文件、读密码、写 crontab——等于直接拿下宿主机 root。<br />原因是 Portainer 默认把 7 个高危开关全部打开了，比如"允许普通用户挂载宿主机目录""允许特权模式"。<br /><b>你需要升级版本</b>，然后去 Settings → Docker <mark class="highlight">Security</mark> Settings 确认那些开关都关了。如果你是多人共用的 Portainer 实例，建议顺便审一下历史容器有没有被滥用过。</div> <label for="expand-0-1" class="tg-expandable__toggle"><span class="sr-only">Toggle hidden content</span></label> </div><br /><i class="emoji"><b>🔗</b></i> <a href="https://intwave.com/blog/2026/02/26/improving-portainer-security.html" target="_blank" rel="noopener" title="技术分析博文">技术分析博文</a> · <a href="https://intwave.com/advisory/2026/06/12/cve-2026-33590-portainer.html" target="_blank" rel="noopener" title="安全公告">安全公告</a><br /><br />感觉这个漏洞本质上是个设计缺陷而非代码 bug，默认信任用户不会滥用容器特权，不过在多用户环境下还是有很大风险。<a class="tgme_widget_message_link_preview" href="https://intwave.com/blog/2026/02/26/improving-portainer-security.html" target="_blank" rel="noopener" title="Product Security Services"> <div class="link_preview_site_name accent_color">Intwave</div> <div class="link_preview_title">Improving Portainer <mark class="highlight">Security</mark></div> <div class="link_preview_description">Product <mark class="highlight">Security</mark> Services</div> </a>