CVE-2018-19466 – Portainer LDAP Credentials Storage Information Disclosure Vulnerability (3rd Apr 2019)

Preface: Today, the stored password is not encrypted like walking around without clothes!

Technical background: Portainer is a lightweight management UI which allows you to easily manage your different Docker environments (Docker hosts or Swarm clusters). It allows you to manage your all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the standalone Docker engine and with Docker Swarm mode.

Vulnerability: The affected software stores LDAP credentials in cleartext and performs insufficient security checks on API calls that allow the retrieval of LDAP credentials.

Remedy: Portainer has released software updates at the following url: https://github.com/portainer/portainer/releases/tag/1.20.0