Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Portainer Subscribe
Total 15 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41874 1 Portainer 1 Portainer 2023-02-02 5.0 MEDIUM 7.5 HIGH
** DISPUTED ** An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information. NOTE: Portainer has received no detail of this CVE report. There is also no response after multiple attempts of contacting the original source.
CVE-2022-24961 1 Portainer 1 Portainer 2022-02-17 7.5 HIGH 9.8 CRITICAL
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
CVE-2021-42650 1 Portainer 1 Portainer 2021-10-21 4.3 MEDIUM 6.1 MEDIUM
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
CVE-2020-24263 1 Portainer 1 Portainer 2021-03-23 6.5 MEDIUM 8.8 HIGH
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
CVE-2020-24264 1 Portainer 1 Portainer 2021-03-23 10.0 HIGH 9.8 CRITICAL
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
CVE-2019-16877 1 Portainer 1 Portainer 2020-08-24 6.5 MEDIUM 8.8 HIGH
Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4).
CVE-2018-19466 1 Portainer 1 Portainer 2020-08-24 5.0 MEDIUM 9.8 CRITICAL
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.
CVE-2019-16872 1 Portainer 1 Portainer 2020-08-24 9.0 HIGH 9.9 CRITICAL
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4).
CVE-2019-16874 1 Portainer 1 Portainer 2020-08-24 4.0 MEDIUM 6.5 MEDIUM
Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4).
CVE-2019-16876 1 Portainer 1 Portainer 2019-11-07 5.0 MEDIUM 7.5 HIGH
Portainer before 1.22.1 allows Directory Traversal.
CVE-2019-16873 1 Portainer 1 Portainer 2019-11-07 3.5 LOW 5.4 MEDIUM
Portainer before 1.22.1 has XSS (issue 1 of 2).
CVE-2019-16878 1 Portainer 1 Portainer 2019-11-07 3.5 LOW 5.4 MEDIUM
Portainer before 1.22.1 has XSS (issue 2 of 2).
CVE-2018-19367 1 Portainer 1 Portainer 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
CVE-2018-16316 1 Portainer 1 Portainer 2018-11-09 3.5 LOW 5.4 MEDIUM
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field.
CVE-2018-12678 1 Portainer 1 Portainer 2018-08-13 7.5 HIGH 9.8 CRITICAL
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.