First published: Tue Nov 20 2018(Updated: )
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Portainer Portainer | <=1.19.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-19367 is a vulnerability in Portainer through version 1.19.2 that allows an attacker to set an admin password.
CVE-2018-19367 has a severity rating of 9.8 (critical).
CVE-2018-19367 affects Portainer versions up to and including 1.19.2.
Yes, updating Portainer to a version beyond 1.19.2 will fix CVE-2018-19367.
You can find more information about CVE-2018-19367 on the following references: [Github: lichti/shodan-portainer](https://github.com/lichti/shodan-portainer/) and [Github: portainer/portainer issues #2475](https://github.com/portainer/portainer/issues/2475).