Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
References
Link | Resource |
---|---|
https://github.com/lichti/shodan-portainer/ | Exploit Third Party Advisory |
https://github.com/portainer/portainer/issues/2475 | Exploit Issue Tracking Mitigation Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-10-03T16:21:56
Updated: 2022-10-03T16:21:56
Reserved: 2022-10-03T00:00:00
Link: CVE-2018-19367
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-11-20T09:29:05.053
Modified: 2019-10-03T00:03:26.223
Link: CVE-2018-19367
JSON object: View
Redhat Information
No data.
CWE