Critical severity vulnerability in Harbor (CVE-2019-16919) #security
A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624
Impact
The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Known Attack Vectors
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
Patches
If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.
- https://github.com/goharbor/harbor/releases/tag/v1.8.4
- https://github.com/goharbor/harbor/releases/tag/v1.9.1
Workarounds
There is no workaround for this issue
For more information
If you have any questions or comments about this advisory, contact cncf-harbor-security@...
- View our security policy at https://github.com/goharbor/harbor/security/policy
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919