Critical severity vulnerability in Harbor (CVE-2019-16097) #security
Attention Harbor Users,
A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories?state=published for CVE https://nvd.nist.gov/vuln/detail/CVE-2019-16097.
The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows non-admin users to create Harbor admin accounts by sending Harbor a malicious request. The vulnerability was quickly fixed by the Harbor team and backported to all supported versions.
Details: core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.
How to tell if your deployment is affected:
* You use database authentication.
* You have self-registration enabled.
If your deployment uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.
Affected Harbor versions are:
* 1.7.x prior to 1.7.6 (CVE is fixed in 1.7.6)
* 1.8.x prior to 1.8.3 (CVE is fixed in 1.8.3)
Please update to the latest release of Harbor that includes a fix for this CVE.
Core Maintainer, Harbor