来源:Harbor官网
发布日期:2019-11-18
阅读次数:626
评论:0
更新详情
### Resolved Issues
- [Full list of issues fixed in v1.9.3](https://github.com/goharbor/harbor/issues?q=is%3Aissue+label%3Atarget%2F1.9.3+is%3Aclosed)
- Fix security issue: a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.
https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w
- Fix security issue: An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.
https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64
- Fix security issue: a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user
https://github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827
- Fix security issue: Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters
https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg
- Fix security issue: without protection against Cross-Site Request Forgery (CSRF), an attacker can execute any action on the platform in the context of the currently authenticated victim
https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6
## Known Issues:
- Migrating to 1.9 can take a few minutes before API is callable. This is due to the implementation of quotas. [#8935](https://github.com/goharbor/harbor/issues/8935)
- Replication does not work between a Harbor instance of a previous version and a Harbor 1.9.0 instance and is not supported by Harbor team. [#8673](https://github.com/goharbor/harbor/issues/8673)
评论