Attention Harbor Users,

A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories?state=published for CVE https://nvd.nist.gov/vuln/detail/CVE-2019-16097.

The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows non-admin users to create Harbor admin accounts by sending Harbor a malicious request. The vulnerability was quickly fixed by the Harbor team and backported to all supported versions.

Details: core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.

How to tell if your deployment is affected:

* You use database authentication.

AND

* You have self-registration enabled.

If your deployment uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.

Affected Harbor versions are:

* 1.7.x prior to 1.7.6 (CVE is fixed in 1.7.6)

* 1.8.x prior to 1.8.3 (CVE is fixed in 1.8.3)

Please update to the latest release of Harbor that includes a fix for this CVE.

1. 1.9 [https://github.com/goharbor/harbor/releases/tag/v1.9.0]
2. 1.8.3 [https://github.com/goharbor/harbor/releases/tag/v1.8.3]
3. 1.7.6 [https://github.com/goharbor/harbor/releases/tag/v1.7.6]

Michael Michael

Core Maintainer, Harbor

M²_TM