Skip to content
  • v1.9.3
  • 730d6d2
  • Compare
    Choose a tag to compare
    Search for a tag
  • v1.9.3
  • 730d6d2
  • Compare
    Choose a tag to compare
    Search for a tag

@wy65701436 wy65701436 released this Nov 18, 2019 · 48 commits to release-1.9.0 since this release

Resolved Issues

  • Full list of issues fixed in v1.9.3

  • Fix security issue: a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.
    GHSA-qcfv-8v29-469w

  • Fix security issue: An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.
    GHSA-rh89-vvrg-fg64

  • Fix security issue: a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user
    GHSA-3868-7c5x-4827

  • Fix security issue: Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters
    GHSA-6qj9-33j4-rvhg

  • Fix security issue: without protection against Cross-Site Request Forgery (CSRF), an attacker can execute any action on the platform in the context of the currently authenticated victim
    GHSA-gcqm-v682-ccw6

Known Issues:

  • Migrating to 1.9 can take a few minutes before API is callable. This is due to the implementation of quotas. #8935
  • Replication does not work between a Harbor instance of a previous version and a Harbor 1.9.0 instance and is not supported by Harbor team. #8673
Assets 7
You can’t perform that action at this time.