CVE-2018-19367

CRITICAL

Portainer < 1.19.2 - Unauthenticated Admin Account Creation via API Endpoint

Title source: llm
STIX 2.1

Description

Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/lichti/shodan-portainer/
Exploit, Issue Tracking, Mitigation, Third Party Advisory x_refsource_misc
https://github.com/portainer/portainer/issues/2475

Scores

CVSS v3 9.8
EPSS 0.0147
EPSS Percentile 70.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
portainer/portainer < 1.19.2
Published Nov 20, 2018
Tracked Since Feb 18, 2026