#VU21322 Improper access control in Harbor - CVE-2019-16097

Cybersecurity Help s.r.o.

Published: 2019-09-24

Vulnerability identifier: #VU21322

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-16097

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Harbor
Server applications / Virtualization software

Vendor: Harbor

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within "core/api/user.go" when processing HTTP POST requests to "/api/users" API, when Harbor is configured to use DB as authentication backend. A remote non-authenticated attacker can send a specially crafted HTTP request to the vulnerable API endpoint and create an administrative user account.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Harbor: 1.7.0 - 1.8.2

External links
https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517
https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1
https://github.com/goharbor/harbor/releases/tag/v1.7.6
https://github.com/goharbor/harbor/releases/tag/v1.8.3
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper access control in VMware Harbor Container Registry for PCF

Improper access control in Harbor