CVE-2019-3990: User Enumeration Flaw in VMware Harbor Container Registry for Pivotal Platform
Severity
Medium
Vendor
Pivotal
Description
VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a User Enumeration flaw. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3
Credit
This issue was responsibly reported by Nick Manfredi of Tenable Research.
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3990
History
2019-12-04: Initial vulnerability report published.