Lucene search

GoogleOSV:GHSA-9WVH-FF5F-XJPJ

HistoryFeb 15, 2022 - 1:57 a.m.

Missing Authorization in Harbor

2022-02-1501:57:18

Google

osv.dev

0.965 High

EPSS

Percentile

99.6%

JSON

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API. This is fixed in 1.9.0-rc1.

CPENameOperatorVersion
github.com/goharbor/harborge1.7.0
github.com/goharbor/harborlt1.9.0-rc1

CPE	Name	Operator	Version
	github.com/goharbor/harbor	ge	1.7.0
	github.com/goharbor/harbor	lt	1.9.0-rc1

References

www.vmware.com/security/advisories/VMSA-2019-0015.html

github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517

github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1

github.com/goharbor/harbor/releases/tag/v1.7.6

github.com/goharbor/harbor/releases/tag/v1.8.3

github.com/ianxtianxt/CVE-2019-16097

nvd.nist.gov/vuln/detail/CVE-2019-16097

unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097

0.965 High

EPSS

Percentile

99.6%

JSON

Related for OSV:GHSA-9WVH-FF5F-XJPJ