CVE-2019-16097: Harbor Privilege Escalation
- VMware Harbor Container Registry for PCF versions 1.7.0 to 1.7.5
- VMware Harbor Container Registry for PCF versions 1.8.0 to 1.8.2
VMware Harbor Container Registry for PCF, versions prior to 1.7.6 and versions 1.8.x prior to 1.8.3, allows anyone with network access to the Harbor /api/users API to register a new account with admin privileges. A remote unauthenticated malicious user can create admin accounts via the API when Harbor is configured with DB authentication and self-registration enabled.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
VMware Harbor Container Registry for PCF
- All versions from 1.7.0 to 1.7.5 inclusive
- All versions from 1.8.0 to 1.8.2 inclusive
Users of affected products are strongly encouraged to follow one of the mitigations below:
Upgrade VMware Harbor Container Registry for PCF to one of the following fixed versions:
- Disable self-registration for users in your Harbor Container Registry (see Harbor CVE Advisory in references).
- Use a different identity provider instead of DB authentication (such as an LDAP store).