All Vulnerability Reports

CVE-2019-19025: Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform

Severity

Critical

Vendor

Pivotal

Description

It was discovered that in VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

• VMware Harbor Container Registry for Pivotal Platform
  • 1.8 versions prior to 1.8.6
  • 1.9 versions prior to 1.9.3

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

• VMware Harbor Container Registry for Pivotal Platform
  • 1.8.6
  • 1.9.3

Credit

This issue was responsibly reported by Cure53.

References

• https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19025

History

2019-12-04: Initial vulnerability report published.