Skip to content

CVE-2019-16919

Critical
michmike published GHSA-x2r2-w9c7-h624 Oct 16, 2019 · 1 comment

Package

Harbor (Harbor)

Affected versions

1.8.0 to 1.8.3 and 1.9.0

Patched versions

1.8.4 and 1.9.1

Description

Impact

The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.

Patches

If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.

Workarounds

There is no workaround for this issue

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io

Severity

Critical

CVE ID

CVE-2019-16919

Weaknesses

No CWEs