Search criteria
56 vulnerabilities found for portainer by portainer
CVE-2025-49593 (GCVE-0-2025-49593)
Vulnerability from cvelistv5 – Published: 2025-06-17 21:27 – Updated: 2025-06-18 13:41
VLAI?
Title
Portainer HTTP Headers May Leak to Malicious Container Registries
Summary
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7.
Severity ?
6.8 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T13:40:45.623836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T13:41:17.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.7"
},
{
"status": "affected",
"version": "\u003c 2.31.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:27:38.542Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/portainer/portainer/security/advisories/GHSA-h5jw-8c32-xfv6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/portainer/portainer/security/advisories/GHSA-h5jw-8c32-xfv6"
},
{
"name": "https://github.com/portainer/portainer/commit/384cb53c64af78af8e1ac7ef5b0f91bad530e989",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/commit/384cb53c64af78af8e1ac7ef5b0f91bad530e989"
},
{
"name": "https://github.com/portainer/portainer/commit/b767dcb27ed253b423facd2e04ef971985950fd3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/commit/b767dcb27ed253b423facd2e04ef971985950fd3"
}
],
"source": {
"advisory": "GHSA-h5jw-8c32-xfv6",
"discovery": "UNKNOWN"
},
"title": "Portainer HTTP Headers May Leak to Malicious Container Registries"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49593",
"datePublished": "2025-06-17T21:27:38.542Z",
"dateReserved": "2025-06-06T15:44:21.556Z",
"dateUpdated": "2025-06-18T13:41:17.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33662 (GCVE-0-2024-33662)
Vulnerability from cvelistv5 – Published: 2024-10-02 00:00 – Updated: 2024-12-04 16:45
VLAI?
Summary
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"lessThan": "2.20.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:45:37.727890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:45:43.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T04:33:04.879794",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.portainer.io"
},
{
"url": "https://github.com/portainer/portainer/compare/2.20.1...2.20.2"
},
{
"url": "https://github.com/portainer/portainer/issues/11737"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33662",
"datePublished": "2024-10-02T00:00:00",
"dateReserved": "2024-04-25T00:00:00",
"dateUpdated": "2024-12-04T16:45:43.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33661 (GCVE-0-2024-33661)
Vulnerability from cvelistv5 – Published: 2024-04-25 00:00 – Updated: 2024-08-02 02:36
VLAI?
Summary
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"lessThan": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T20:25:23.022913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T20:25:26.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.portainer.io/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.0 allows redirects when the target is not index.yaml."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T23:44:12.678495",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.portainer.io/"
},
{
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33661",
"datePublished": "2024-04-25T00:00:00",
"dateReserved": "2024-04-25T00:00:00",
"dateUpdated": "2024-08-02T02:36:04.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29296 (GCVE-0-2024-29296)
Vulnerability from cvelistv5 – Published: 2024-04-10 00:00 – Updated: 2024-08-02 01:10
VLAI?
Summary
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:2.19.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"status": "affected",
"version": "2.19.4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:55:19.097416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286 Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T19:10:40.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://portainer.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ThaySolis/CVE-2024-29296"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T14:27:53.162146",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://portainer.com"
},
{
"url": "https://github.com/ThaySolis/CVE-2024-29296"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29296",
"datePublished": "2024-04-10T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-08-02T01:10:54.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24961 (GCVE-0-2022-24961)
Vulnerability from cvelistv5 – Published: 2022-02-11 04:52 – Updated: 2024-08-03 04:29
VLAI?
Summary
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-11T04:52:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/6420",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"name": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f",
"refsource": "MISC",
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"name": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet",
"refsource": "MISC",
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"name": "https://github.com/portainer/agent/compare/2.11.0...2.11.1",
"refsource": "MISC",
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24961",
"datePublished": "2022-02-11T04:52:45",
"dateReserved": "2022-02-11T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41874 (GCVE-0-2021-41874)
Vulnerability from cvelistv5 – Published: 2021-10-29 00:00 – Updated: 2025-08-27 22:34
VLAI?
DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-08-27T22:34:46.053Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"rejectedReasons": [
{
"lang": "en",
"value": "DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41874",
"datePublished": "2021-10-29T00:00:00.000Z",
"dateRejected": "2025-08-27T00:00:00.000Z",
"dateReserved": "2021-10-04T00:00:00.000Z",
"dateUpdated": "2025-08-27T22:34:46.053Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42650 (GCVE-0-2021-42650)
Vulnerability from cvelistv5 – Published: 2021-10-18 20:53 – Updated: 2024-08-04 03:38
VLAI?
Summary
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T20:53:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/pull/5766",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"name": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss",
"refsource": "MISC",
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42650",
"datePublished": "2021-10-18T20:53:13",
"dateReserved": "2021-10-18T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24264 (GCVE-0-2020-24264)
Vulnerability from cvelistv5 – Published: 2021-03-16 14:42 – Updated: 2024-08-04 15:12
VLAI?
Summary
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.680Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-16T14:42:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/4106",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/4106"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24264",
"datePublished": "2021-03-16T14:42:45",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24263 (GCVE-0-2020-24263)
Vulnerability from cvelistv5 – Published: 2021-03-16 14:42 – Updated: 2024-08-04 15:12
VLAI?
Summary
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/4105"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-16T14:42:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/4105"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/4105",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/4105"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24263",
"datePublished": "2021-03-16T14:42:39",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49593 (GCVE-0-2025-49593)
Vulnerability from nvd – Published: 2025-06-17 21:27 – Updated: 2025-06-18 13:41
VLAI?
Title
Portainer HTTP Headers May Leak to Malicious Container Registries
Summary
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7.
Severity ?
6.8 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T13:40:45.623836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T13:41:17.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.7"
},
{
"status": "affected",
"version": "\u003c 2.31.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:27:38.542Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/portainer/portainer/security/advisories/GHSA-h5jw-8c32-xfv6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/portainer/portainer/security/advisories/GHSA-h5jw-8c32-xfv6"
},
{
"name": "https://github.com/portainer/portainer/commit/384cb53c64af78af8e1ac7ef5b0f91bad530e989",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/commit/384cb53c64af78af8e1ac7ef5b0f91bad530e989"
},
{
"name": "https://github.com/portainer/portainer/commit/b767dcb27ed253b423facd2e04ef971985950fd3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/commit/b767dcb27ed253b423facd2e04ef971985950fd3"
}
],
"source": {
"advisory": "GHSA-h5jw-8c32-xfv6",
"discovery": "UNKNOWN"
},
"title": "Portainer HTTP Headers May Leak to Malicious Container Registries"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49593",
"datePublished": "2025-06-17T21:27:38.542Z",
"dateReserved": "2025-06-06T15:44:21.556Z",
"dateUpdated": "2025-06-18T13:41:17.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33662 (GCVE-0-2024-33662)
Vulnerability from nvd – Published: 2024-10-02 00:00 – Updated: 2024-12-04 16:45
VLAI?
Summary
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"lessThan": "2.20.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:45:37.727890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:45:43.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T04:33:04.879794",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.portainer.io"
},
{
"url": "https://github.com/portainer/portainer/compare/2.20.1...2.20.2"
},
{
"url": "https://github.com/portainer/portainer/issues/11737"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33662",
"datePublished": "2024-10-02T00:00:00",
"dateReserved": "2024-04-25T00:00:00",
"dateUpdated": "2024-12-04T16:45:43.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33661 (GCVE-0-2024-33661)
Vulnerability from nvd – Published: 2024-04-25 00:00 – Updated: 2024-08-02 02:36
VLAI?
Summary
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
Severity ?
9.1 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"lessThan": "2.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-33661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T20:25:23.022913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T20:25:26.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.portainer.io/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.0 allows redirects when the target is not index.yaml."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T23:44:12.678495",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.portainer.io/"
},
{
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-33661",
"datePublished": "2024-04-25T00:00:00",
"dateReserved": "2024-04-25T00:00:00",
"dateUpdated": "2024-08-02T02:36:04.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29296 (GCVE-0-2024-29296)
Vulnerability from nvd – Published: 2024-04-10 00:00 – Updated: 2024-08-02 01:10
VLAI?
Summary
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:portainer:portainer:2.19.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "portainer",
"vendor": "portainer",
"versions": [
{
"status": "affected",
"version": "2.19.4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:55:19.097416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286 Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T19:10:40.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://portainer.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ThaySolis/CVE-2024-29296"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T14:27:53.162146",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://portainer.com"
},
{
"url": "https://github.com/ThaySolis/CVE-2024-29296"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29296",
"datePublished": "2024-04-10T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-08-02T01:10:54.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24961 (GCVE-0-2022-24961)
Vulnerability from nvd – Published: 2022-02-11 04:52 – Updated: 2024-08-03 04:29
VLAI?
Summary
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-11T04:52:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/6420",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"name": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f",
"refsource": "MISC",
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"name": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet",
"refsource": "MISC",
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"name": "https://github.com/portainer/agent/compare/2.11.0...2.11.1",
"refsource": "MISC",
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24961",
"datePublished": "2022-02-11T04:52:45",
"dateReserved": "2022-02-11T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41874 (GCVE-0-2021-41874)
Vulnerability from nvd – Published: 2021-10-29 00:00 – Updated: 2025-08-27 22:34
VLAI?
DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-08-27T22:34:46.053Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"rejectedReasons": [
{
"lang": "en",
"value": "DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41874",
"datePublished": "2021-10-29T00:00:00.000Z",
"dateRejected": "2025-08-27T00:00:00.000Z",
"dateReserved": "2021-10-04T00:00:00.000Z",
"dateUpdated": "2025-08-27T22:34:46.053Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42650 (GCVE-0-2021-42650)
Vulnerability from nvd – Published: 2021-10-18 20:53 – Updated: 2024-08-04 03:38
VLAI?
Summary
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T20:53:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/pull/5766",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"name": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss",
"refsource": "MISC",
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42650",
"datePublished": "2021-10-18T20:53:13",
"dateReserved": "2021-10-18T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24264 (GCVE-0-2020-24264)
Vulnerability from nvd – Published: 2021-03-16 14:42 – Updated: 2024-08-04 15:12
VLAI?
Summary
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.680Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-16T14:42:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24264",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/4106",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/4106"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24264",
"datePublished": "2021-03-16T14:42:45",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24263 (GCVE-0-2020-24263)
Vulnerability from nvd – Published: 2021-03-16 14:42 – Updated: 2024-08-04 15:12
VLAI?
Summary
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/portainer/portainer/issues/4105"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-16T14:42:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/portainer/portainer/issues/4105"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/portainer/portainer/issues/4105",
"refsource": "MISC",
"url": "https://github.com/portainer/portainer/issues/4105"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24263",
"datePublished": "2021-03-16T14:42:39",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-33662
Vulnerability from fkie_nvd - Published: 2024-10-02 05:15 - Updated: 2025-05-21 18:07
Severity ?
Summary
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E236566E-D51E-4A49-8E23-37CF3706BDA5",
"versionEndExcluding": "2.20.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function."
},
{
"lang": "es",
"value": "Portainer anterior a 2.20.2 utiliza incorrectamente un algoritmo de cifrado en la funci\u00f3n AesEncrypt."
}
],
"id": "CVE-2024-33662",
"lastModified": "2025-05-21T18:07:02.313",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-02T05:15:11.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/portainer/portainer/compare/2.20.1...2.20.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/portainer/portainer/issues/11737"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.portainer.io"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-33661
Vulnerability from fkie_nvd - Published: 2024-04-26 00:15 - Updated: 2025-05-21 18:07
Severity ?
Summary
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC578E29-629E-420F-A667-40E07F80AA4B",
"versionEndExcluding": "2.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 2.20.0 allows redirects when the target is not index.yaml."
},
{
"lang": "es",
"value": "Portainer anterior a 2.20.0 permite redireccionamientos cuando el objetivo no es index.yaml."
}
],
"id": "CVE-2024-33661",
"lastModified": "2025-05-21T18:07:35.000",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-26T00:15:08.953",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.portainer.io/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/portainer/portainer/compare/2.19.4...2.20.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/portainer/portainer/pull/11233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/portainer/portainer/pull/11236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.portainer.io/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29296
Vulnerability from fkie_nvd - Published: 2024-04-10 15:16 - Updated: 2025-06-05 13:51
Severity ?
Summary
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://portainer.com | Product | |
| cve@mitre.org | https://github.com/ThaySolis/CVE-2024-29296 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://portainer.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ThaySolis/CVE-2024-29296 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:2.19.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F2EA041E-ED2F-4E11-B20E-853AF3EEA140",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de enumeraci\u00f3n de usuarios en Portainer CE 2.19.4. Este problema ocurre durante el proceso de autenticaci\u00f3n del usuario, donde una diferencia en el tiempo de respuesta podr\u00eda permitir que un usuario remoto no autenticado determine si un nombre de usuario es v\u00e1lido o no."
}
],
"id": "CVE-2024-29296",
"lastModified": "2025-06-05T13:51:40.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-10T15:16:05.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://portainer.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ThaySolis/CVE-2024-29296"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://portainer.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ThaySolis/CVE-2024-29296"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-286"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-24961
Vulnerability from fkie_nvd - Published: 2022-02-11 06:15 - Updated: 2024-11-21 06:51
Severity ?
Summary
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/portainer/agent/compare/2.11.0...2.11.1 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/portainer/portainer/issues/6420 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/agent/compare/2.11.0...2.11.1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/portainer/issues/6420 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C56A2A42-B7E2-4495-925E-A4C3507AB590",
"versionEndExcluding": "2.11.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days."
},
{
"lang": "es",
"value": "En Portainer Agent versiones anteriores a 2.11.1, un servidor de API puede seguir funcionando aunque no est\u00e9 asociado a una instancia de Portainer en los \u00faltimos d\u00edas"
}
],
"id": "CVE-2022-24961",
"lastModified": "2024-11-21T06:51:28.183",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T06:15:06.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/agent/compare/2.11.0...2.11.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/agent/pull/225/commits/a66977c76043fcff4a8f69c4b65988272d27c01f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/6420"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41874
Vulnerability from fkie_nvd - Published: 2021-10-29 18:15 - Updated: 2025-08-27 23:15
Severity ?
Summary
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
References
| URL | Tags |
|---|
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
],
"id": "CVE-2021-41874",
"lastModified": "2025-08-27T23:15:32.590",
"metrics": {},
"published": "2021-10-29T18:15:08.353",
"references": [],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Portainer has received no detail of this CVE report. There is also no response after multiple attempts of contacting the original source, CNVD.",
"lastModified": "2022-03-28T12:25:30.690",
"organization": "Portainer"
}
],
"vulnStatus": "Rejected"
}
FKIE_CVE-2021-42650
Vulnerability from fkie_nvd - Published: 2021-10-18 21:15 - Updated: 2024-11-21 06:27
Severity ?
Summary
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/portainer/portainer/pull/5766 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/portainer/pull/5766 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F35F2F13-8C43-490A-AED3-E7763458B2B3",
"versionEndExcluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Portainer versiones anteriores a 2.9.1 por medio de la caja de entrada del nodo en las plantillas personalizadas"
}
],
"id": "CVE-2021-42650",
"lastModified": "2024-11-21T06:27:55.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-18T21:15:08.770",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/pull/5766"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/purple-WL/Security-vulnerability/blob/main/Portainer%20Custom%20Templates%20xss"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-24264
Vulnerability from fkie_nvd - Published: 2021-03-16 15:15 - Updated: 2024-11-21 05:14
Severity ?
Summary
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/portainer/portainer/issues/4106 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/portainer/issues/4106 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8836F8-EA3E-4DCB-9B6B-FA6111980475",
"versionEndIncluding": "1.24.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover."
},
{
"lang": "es",
"value": "Portainer versiones 1.24.1 y anteriores, est\u00e1n afectados por un control de acceso incorrecto que puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitraria remota.\u0026#xa0;Las comprobaciones de restricci\u00f3n para los montajes de enlace se aplican solo en el lado del cliente y no en el lado del servidor, lo que puede conllevar a generar un contenedor con montaje de enlace.\u0026#xa0;Una vez que es generado un contenedor de este tipo, puede ser aprovechado para salir del contenedor y completar la toma de control de la m\u00e1quina host de Docker"
}
],
"id": "CVE-2020-24264",
"lastModified": "2024-11-21T05:14:32.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-16T15:15:12.607",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/4106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/4106"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-24263
Vulnerability from fkie_nvd - Published: 2021-03-16 15:15 - Updated: 2024-11-21 05:14
Severity ?
Summary
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/portainer/portainer/issues/4105 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/portainer/portainer/issues/4105 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8836F8-EA3E-4DCB-9B6B-FA6111980475",
"versionEndIncluding": "1.24.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host."
},
{
"lang": "es",
"value": "Portainer versiones 1.24.1 y anteriores, est\u00e1n afectadas por una vulnerabilidad de permisos no segura que puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitraria remota.\u0026#xa0;Un usuario que no sea administrador puede generar nuevos contenedores con capacidades cr\u00edticas como SYS_MODULE, que puede ser usado para tomar el control del host de Docker"
}
],
"id": "CVE-2020-24263",
"lastModified": "2024-11-21T05:14:32.763",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-16T15:15:12.530",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/4105"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/portainer/portainer/issues/4105"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16876
Vulnerability from fkie_nvd - Published: 2019-11-07 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
Portainer before 1.22.1 allows Directory Traversal.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://fortiguard.com/zeroday/FG-VD-19-123 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/zeroday/FG-VD-19-123 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC9EDEA-E092-4874-A4D4-326328F14BCB",
"versionEndExcluding": "1.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 1.22.1 allows Directory Traversal."
},
{
"lang": "es",
"value": "Portainer versiones anteriores a 1.22.1, permite el Salto de Directorio."
}
],
"id": "CVE-2019-16876",
"lastModified": "2024-11-21T04:31:15.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T16:15:10.767",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-123"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-123"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16878
Vulnerability from fkie_nvd - Published: 2019-11-07 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
Portainer before 1.22.1 has XSS (issue 2 of 2).
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://fortiguard.com/zeroday/FG-VD-19-119 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/zeroday/FG-VD-19-119 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC9EDEA-E092-4874-A4D4-326328F14BCB",
"versionEndExcluding": "1.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 1.22.1 has XSS (issue 2 of 2)."
},
{
"lang": "es",
"value": "Portainer versiones anteriores a 1.22.1, presenta una vulnerabilidad de tipo XSS (problema 2 de 2)."
}
],
"id": "CVE-2019-16878",
"lastModified": "2024-11-21T04:31:15.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T16:15:10.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-119"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16872
Vulnerability from fkie_nvd - Published: 2019-11-07 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4).
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://fortiguard.com/zeroday/FG-VD-19-120 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/zeroday/FG-VD-19-120 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC9EDEA-E092-4874-A4D4-326328F14BCB",
"versionEndExcluding": "1.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4)."
},
{
"lang": "es",
"value": "Portainer versiones anteriores a 1.22.1, presenta un Control de Acceso Incorrecto (problema 1 de 4)."
}
],
"id": "CVE-2019-16872",
"lastModified": "2024-11-21T04:31:14.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T16:15:10.687",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-120"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16877
Vulnerability from fkie_nvd - Published: 2019-11-07 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4).
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://fortiguard.com/zeroday/FG-VD-19-124 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fortiguard.com/zeroday/FG-VD-19-124 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:portainer:portainer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC9EDEA-E092-4874-A4D4-326328F14BCB",
"versionEndExcluding": "1.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4)."
},
{
"lang": "es",
"value": "Portainer versiones anteriores a 1.22.1, presenta un Control de Acceso Incorrecto (problema 4 de 4)."
}
],
"id": "CVE-2019-16877",
"lastModified": "2024-11-21T04:31:15.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-07T16:15:10.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-124"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.com/zeroday/FG-VD-19-124"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}