CVE-2019-19023: Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform
Critical
Pivotal
VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a privilege escalation vulnerability. The vulnerability allows a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user. Subsequently they can reset the password for that email address and gain access to that account. The Harbor API did not enforce the proper permissions and scope on the API request to modify the email address.
Severity is critical unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.9 versions prior to 1.9.3
- 1.8 versions prior to 1.8.6
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.9.3
- 1.8.6
- https://github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19023
2019-12-04: Initial vulnerability report published.