Missing Authorization in Harbor

GHSA-9wvh-ff5f-xjpj · CVE-2019-16097 · GO-2022-0818

Published Feb 15, 2022 · Modified Aug 21, 2024

Description

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API. This is fixed in 1.9.0-rc1.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-16097
WEB https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517
WEB https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1
WEB https://github.com/goharbor/harbor/releases/tag/v1.7.6
WEB https://github.com/goharbor/harbor/releases/tag/v1.8.3
WEB https://github.com/ianxtianxt/CVE-2019-16097
WEB https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097
WEB http://www.vmware.com/security/advisories/VMSA-2019-0015.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes