x/vulndb: potential Go vuln in github.com/portainer/portainer: CVE-2018-12678

[tatianab]

CVE-2018-12678 references github.com/portainer/portainer, which may be a Go module.

Description:
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2018-12678
• fix: fix(api): add an authenticated access policy to the websocket endpoint portainer/portainer#1979
• web: https://github.com/portainer/portainer/releases/tag/1.18.0
• Imported by: https://pkg.go.dev/github.com/portainer/portainer?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/portainer/portainer
      vulnerable_at: 0.10.1
      packages:
        - package: n/a
cves:
    - CVE-2018-12678
references:
    - fix: https://github.com/portainer/portainer/pull/1979
    - web: https://github.com/portainer/portainer/releases/tag/1.18.0

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports