All Vulnerability Reports

CVE-2019-19023: Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform

Severity

Critical

Vendor

Pivotal

Description

VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a privilege escalation vulnerability. The vulnerability allows a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user. Subsequently they can reset the password for that email address and gain access to that account. The Harbor API did not enforce the proper permissions and scope on the API request to modify the email address.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

• VMware Harbor Container Registry for Pivotal Platform
  • 1.9 versions prior to 1.9.3
  • 1.8 versions prior to 1.8.6

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

• VMware Harbor Container Registry for Pivotal Platform
  • 1.9.3
  • 1.8.6

References

• https://github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19023

History

2019-12-04: Initial vulnerability report published.