CVE-2019-19025: Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform
Severity
Critical
Vendor
Pivotal
Description
It was discovered that in VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3
Credit
This issue was responsibly reported by Cure53.
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19025
History
2019-12-04: Initial vulnerability report published.