Vulnerability Description
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Harbor | >= 1.8.0, <= 1.8.3 |
| Vmware | Cloud Foundation | - |
| Vmware | Harbor Container Registry | >= 1.7.0, <= 1.7.6 |
Related Weaknesses (CWE)
References
- http://www.vmware.com/security/advisories/VMSA-2019-0016.htmlThird Party Advisory
- https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624PatchThird Party Advisory
- https://landscape.cncf.io/selected=harborProductThird Party Advisory
- http://www.vmware.com/security/advisories/VMSA-2019-0016.htmlThird Party Advisory
- https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624PatchThird Party Advisory
- https://landscape.cncf.io/selected=harborProductThird Party Advisory
FAQ
What is CVE-2019-16919?
CVE-2019-16919 is a vulnerability with a CVSS score of 7.5 (HIGH). Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissi...
How severe is CVE-2019-16919?
CVE-2019-16919 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16919?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Harbor, Vmware Cloud Foundation, Vmware Harbor Container Registry.