CVE-2019-19023: Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform
Severity
Critical
Vendor
Pivotal
Description
VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a privilege escalation vulnerability. The vulnerability allows a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user. Subsequently they can reset the password for that email address and gain access to that account. The Harbor API did not enforce the proper permissions and scope on the API request to modify the email address.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
-
VMware Harbor Container Registry for Pivotal Platform
- 1.9 versions prior to 1.9.3
- 1.8 versions prior to 1.8.6
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
VMware Harbor Container Registry for Pivotal Platform
- 1.9.3
- 1.8.6
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19023
History
2019-12-04: Initial vulnerability report published.