Security issue when updating Docker exposes setup page including SMTP username and password

[asheroto]

Hello!

I've been using Cachet for awhile and love it. I found a potential security problem, though.

With the Cachet Docker container running, when updating Docker itself (not the image), for a brief few seconds, my Cachet URL status.mydomain.com redirects to the /setup page, and it reveals my mail server's SMTP username and password in full view (password visible using DevTools inspect)...

After about 10 seconds when the update of Docker is complete, going to the same page status.mydomain.com shows up normally.

This happened a few weeks ago but I thought maybe it was just a glitch. I just updated today and had the same thing happen.

As a workaround, I've blocked access to the /setup page in Cloudflare so that when this happens again it won't show the page.

Using Debian 10 Buster, not sure if it affects others.

Steps to reproduce: 1.) Go to the instance URL and continue to refresh over and over while performing the next steps 2.) Update Docker through apt update;apt upgrade docker-buildx-plugin docker-ce docker-ce-cli docker-compose-plugin -y; 3.) For a brief moment during the update, you should see the URL redirect to /setup and show the credentials

I'm not sure if it's all, some, or docker-ce that causes this, but those were the packages I updated.

[asheroto]

@djdefi sorry to tag you directly, but is this project dead? I have not seen any releases and it looks like the issues are not being touched. I understand if you have moved on to other things, just more curious than anything.