Hello, What is the solution against this vulnerability on a docker installation ? Vulnerability Summary Title: Traccar Settings Disclosure (traccar-settings-disclosure) Severity: Low Vulnerability Type: Information Disclosure / Misconfiguration Affected Component: Traccar Server – Publicly Accessible API Endpoint Detailed Description The following publicly accessible API endpoint: /api/server reveals configuration details of the Traccar server. This endpoint may expose server settings, version information, and other operational parameters intended for internal management. While it may not directly disclose sensitive credentials, publicly exposing these details can assist attackers in mapping server capabilities. When vulnerable, a server might: • Expose Traccar server configuration and system parameters • Reveal server version and platform information • Provide insights useful for reconnaissance or targeted attacks • Allow attackers to understand API structure and endpoints This behavior typically indicates: • Missing authentication or access control for administrative API endpoints • Misconfigured Traccar server or API permissions • Lack of restrictions for publicly accessible operational information Although classified as low severity, disclosure of system settings can aid attackers in planning further attacks or exploitation. Potential Impacts (Low) • Exposure of server configuration and operational details • Increased attacker knowledge of server setup and endpoints • Facilitation of reconnaissance for targeted exploits • Identification of server software version and platform • Potential chaining with other vulnerabilities to escalate impact Impact remains low unless sensitive credentials or critical configuration data are revealed. Recommended Remediation • Restrict access to administrative or settings endpoints o Require authentication for /api/server and other management APIs o Limit access to trusted IP ranges or internal networks • Server-side protections o Enforce role-based access control (RBAC) for API endpoints o Ensure sensitive operational data is not returned in public API responses • Monitor for scanning or unauthorized access o Log API requests targeting /api/server o Detect repeated probing or enumeration of Traccar endpoints Detection / Indicators to Hunt For • Requests to /api/server from external or unauthorized sources • Attempts to enumerate API endpoints or gather configuration data • Access patterns indicative of automated scanning or reconnaissance Additional Notes This is a low-severity information disclosure issue. While no direct sensitive credentials may be exposed, publicly accessible Traccar server settings can provide attackers with valuable operational information. Restricting access and enforcing authentication are important mitigations.