Skip to content

CVE-2019-16919

michmike published GHSA-x2r2-w9c7-h624 Oct 16, 2019
@michmike

michmike published Oct 16, 2019

critical severity
CVE-2019-16919 More information
Affected versions: 1.8.0 to 1.8.3 and 1.9.0
Patched versions: 1.8.4 and 1.9.1
Package: Harbor
Package ecosystem: Harbor

Impact

The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.

Patches

If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.

Workarounds

There is no workaround for this issue

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io

You can’t perform that action at this time.