All Vulnerability Reports

CVE-2019-3990: User Enumeration Flaw in VMware Harbor Container Registry for Pivotal Platform


Severity

Medium

Vendor

Pivotal

Description

VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a User Enumeration flaw. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • VMware Harbor Container Registry for Pivotal Platform
    • 1.8 versions prior to 1.8.6
    • 1.9 versions prior to 1.9.3

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • VMware Harbor Container Registry for Pivotal Platform
    • 1.8.6
    • 1.9.3

Credit

This issue was responsibly reported by Nick Manfredi of Tenable Research.

References

History

2019-12-04: Initial vulnerability report published.