portainer/portainer

portainer/portainer

on GitHub

133 releases

new releases every 3 weeks 4 days

last release was 04/30/2024

last checked today at 5:25 PM

29124

Making Docker and Kubernetes management easy.

Log in to subscribe

CVE History

CVE	Published	CVSS v2	CVSS v3
CVE-2024-33661	April 26, 2024	N/A	N/A
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
CVE-2022-24961	February 11, 2022	9.8 CRITICAL	7.5 HIGH
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
CVE-2021-42650	October 18, 2021	6.1 MEDIUM	4.3 MEDIUM
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
CVE-2020-24263	March 16, 2021	8.8 HIGH	6.5 MEDIUM
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
CVE-2020-24264	March 16, 2021	9.8 CRITICAL	10 HIGH
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
CVE-2018-19466	March 27, 2019	9.8 CRITICAL	5 MEDIUM
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.
CVE-2018-19367	November 20, 2018	9.8 CRITICAL	5 MEDIUM
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
CVE-2018-16316	September 1, 2018	5.4 MEDIUM	3.5 LOW
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field.
CVE-2018-12678	June 22, 2018	9.8 CRITICAL	7.5 HIGH
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.