CVE-2019-19023: Privilege Escalation Vulnerability in VMware Harbor Container Registry for Pivotal Platform
23866
04 December 2019
04 December 2019
CLOSED
CRITICAL
CVE-2019-19023
Severity
Critical
Vendor
Pivotal
Description
VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a privilege escalation vulnerability. The vulnerability allows a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user. Subsequently they can reset the password for that email address and gain access to that account. The Harbor API did not enforce the proper permissions and scope on the API request to modify the email address.Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- VMware Harbor Container Registry for Pivotal Platform
- 1.9 versions prior to 1.9.3
- 1.8 versions prior to 1.8.6
Mitigation
- VMware Harbor Container Registry for Pivotal Platform
- 1.9.3
- 1.8.6
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19023
History
2019-12-04: Initial vulnerability report published.