All Vulnerability Reports

CVE-2019-16919: Broken access control vulnerability in Harbor API


Severity

Critical

Vendor

Pivotal

Description

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • VMware Harbor Container Registry for Pivotal Platform
    • 1.8 versions prior to 1.8.4

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • VMware Harbor Container Registry for Pivotal Platform
    • 1.8.4

References

History

2019-10-16: Initial vulnerability report published.