Vulnerability Description
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Harbor | >= 1.7.0, <= 1.7.6 |
Related Weaknesses (CWE)
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhgPatchThird Party Advisory
- https://www.tenable.com/security/research/tra-2019-50Third Party Advisory
- https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhgPatchThird Party Advisory
- https://www.tenable.com/security/research/tra-2019-50Third Party Advisory
FAQ
What is CVE-2019-3990?
CVE-2019-3990 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and i...
How severe is CVE-2019-3990?
CVE-2019-3990 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3990?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Harbor.