Skip to content

CVE-2019-16097

High
michmike published GHSA-fqvr-xx6w-m6m7 Sep 19, 2019 · 1 comment

Package

Harbor (Harbor)

Affected versions

1.7.0 to 1.7.5 and 1.8.0 to 1.8.2

Patched versions

1.7.6 and 1.8.3

Description

Impact

The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The vulnerability was immediately fixed by the Harbor team and backported to all supported versions
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.
How to tell if your product is affected:

  • You use database authentication.
    AND
  • You have self-registration enabled.

Patches

If your product uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.
Affected Harbor versions are:

  • 1.7.x prior to 1.7.6 (fixed in 1.7.6)
  • 1.8.x prior to 1.8.3 (fixed in 1.8.3)

Workarounds

There are no workarounds outside of upgrading

References

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io

Severity

High

CVE ID

CVE-2019-16097

Weaknesses

No CWEs