Topics

Critical severity vulnerability in Harbor (CVE-2019-16097) #security

Michael Michael
 

Attention Harbor Users,

 

A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories?state=published for CVE https://nvd.nist.gov/vuln/detail/CVE-2019-16097.

The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows non-admin users to create Harbor admin accounts by sending Harbor a malicious request. The vulnerability was quickly fixed by the Harbor team and backported to all supported versions.

 

Details: core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.

 

How to tell if your deployment is affected:

* You use database authentication.

AND

* You have self-registration enabled.

 

If your deployment uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.

Affected Harbor versions are:

* 1.7.x prior to 1.7.6 (CVE is fixed in 1.7.6)

* 1.8.x prior to 1.8.3 (CVE is fixed in 1.8.3)

 

Please update to the latest release of Harbor that includes a fix for this CVE.

  1. 1.9 [https://github.com/goharbor/harbor/releases/tag/v1.9.0]
  2. 1.8.3 [https://github.com/goharbor/harbor/releases/tag/v1.8.3]
  3. 1.7.6 [https://github.com/goharbor/harbor/releases/tag/v1.7.6]

 

Michael Michael

Core Maintainer, Harbor

 

M2TM