Critical severity vulnerability in Harbor (CVE-2019-16919) #security
|
Michael Michael <michmike@...>
Attention Harbor users.
A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 ImpactThe internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched. Known Attack VectorsA malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project. PatchesIf your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.
WorkaroundsThere is no workaround for this issue For more informationIf you have any questions or comments about this advisory, contact cncf-harbor-security@...
|
|
|
|
ray_wu@...
Return Receipt
Your [harbor-users] Critical severity vulnerability in Harbor document: (CVE-2019-16919) #security was ray_wu@... received by: at: 10/17/2019 10:38:20 AM |
|
|