CVE-2018-19367
First published: Tue Nov 20 2018(Updated: )
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Portainer Portainer | <=1.19.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-19367?
CVE-2018-19367 is a vulnerability in Portainer through version 1.19.2 that allows an attacker to set an admin password.
How severe is CVE-2018-19367?
CVE-2018-19367 has a severity rating of 9.8 (critical).
How does CVE-2018-19367 affect Portainer?
CVE-2018-19367 affects Portainer versions up to and including 1.19.2.
Is there a fix for CVE-2018-19367?
Yes, updating Portainer to a version beyond 1.19.2 will fix CVE-2018-19367.
Where can I find more information about CVE-2018-19367?
You can find more information about CVE-2018-19367 on the following references: [Github: lichti/shodan-portainer](https://github.com/lichti/shodan-portainer/) and [Github: portainer/portainer issues #2475](https://github.com/portainer/portainer/issues/2475).
- collector/nvd-index
- vendor/portainer
- product/portainer
- canonical/portainer portainer