Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Portainer
(Portainer)| Repositories | https://github.com/portainer/portainer |
| #Vulnerabilities | 18 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-04-10 | CVE-2024-29296 | A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | Portainer | N/A | ||
| 2024-04-26 | CVE-2024-33661 | Portainer before 2.20.0 allows redirects when the target is not index.yaml. | Portainer | N/A | ||
| 2024-10-02 | CVE-2024-33662 | Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function. | Portainer | N/A | ||
| 2021-03-16 | CVE-2020-24263 | Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host. | Portainer | 8.8 | ||
| 2021-03-16 | CVE-2020-24264 | Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover. | Portainer | 9.8 | ||
| 2021-10-18 | CVE-2021-42650 | Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. | Portainer | 6.1 | ||
| 2021-10-29 | CVE-2021-41874 | An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information. NOTE: Portainer has received no detail of this CVE report. There is also no response after multiple attempts of contacting the original source. | Portainer | 7.5 | ||
| 2022-02-11 | CVE-2022-24961 | In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days. | Portainer | 9.8 | ||
| 2019-03-27 | CVE-2018-19466 | A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls. | Portainer | 9.8 | ||
| 2019-11-07 | CVE-2019-16877 | Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4). | Portainer | N/A |