Skip to content

Privilege Escalation

Critical
michmike published GHSA-3868-7c5x-4827 Dec 3, 2019

Package

Harbor (Harbor)

Affected versions

1.7.*, 1.8.*, 1.9.*

Patched versions

1.9.3 and 1.8.6

Description

Impact

External Security Researchers have identified a privilege escalation critical vulnerability. The vulnerability allows
a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user. Subsequently they can reset the password for that email address and gain access to that account. The Harbor API did not enforce the proper permissions and scope on the API request to modify the email address. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

Successful exploitation of this issue may lead to unauthorized access throughout the project

Patches

If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v1.8.6
https://github.com/goharbor/harbor/releases/tag/v1.9.3

Workarounds

There is no workaround for this issue

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io
View our security policy at https://github.com/goharbor/harbor/security/policy
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19023

Severity

Critical

CVE ID

CVE-2019-19023

Weaknesses

No CWEs