Impact
The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The vulnerability was immediately fixed by the Harbor team and backported to all supported versions
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.
How to tell if your product is affected:
- You use database authentication.
AND
- You have self-registration enabled.
Patches
If your product uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.
Affected Harbor versions are:
- 1.7.x prior to 1.7.6 (fixed in 1.7.6)
- 1.8.x prior to 1.8.3 (fixed in 1.8.3)
Workarounds
There are no workarounds outside of upgrading
References
For more information
If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io
Impact
The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The vulnerability was immediately fixed by the Harbor team and backported to all supported versions
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.
How to tell if your product is affected:
AND
Patches
If your product uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.
Affected Harbor versions are:
Workarounds
There are no workarounds outside of upgrading
References
For more information
If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io