CVE-2018-19367
CRITICALPortainer < 1.19.2 - Unauthenticated Admin Account Creation via API Endpoint
Title source: llmDescription
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/lichti/shodan-portainer/
Exploit, Issue Tracking, Mitigation, Third Party Advisory x_refsource_misc
https://github.com/portainer/portainer/issues/2475
Scores
CVSS v3
9.8
EPSS
0.0147
EPSS Percentile
70.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
portainer/portainer
< 1.19.2
Published
Nov 20, 2018
Tracked Since
Feb 18, 2026