CVE-2019-16919: Broken access control vulnerability in Harbor API
Severity
Critical
Vendor
Pivotal
Description
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.4
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8.4
References
- https://www.vmware.com/security/advisories/VMSA-2019-0016.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919
History
2019-10-16: Initial vulnerability report published.