CVE-2019-19025: Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform
Critical
Pivotal
It was discovered that in VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.
Severity is critical unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3
This issue was responsibly reported by Cure53.
- https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19025
2019-12-04: Initial vulnerability report published.