github.com/portainer/portainer is vulnerable to information disclosure. The API endpoint /api/users/admin/check
allows a remote attacker to determine if an admin user exists by analyzing server response code. An error 204
indicates an existing admin user while an error 404
indicates a non-existing admin user. This would then allow the attacker to set an admin password in the case of an error 404
.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/portainer/portainer | eq | HEAD | |
github.com/portainer/portainer | le | 1.19.2 |