来源:Harbor官网
发布日期:2019-09-19
阅读次数:817
评论:0
更新详情
Impact
The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The vulnerability was immediately fixed by the Harbor team and backported to all supported versions
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.
How to tell if your product is affected:
You use database authentication.
AND
You have self-registration enabled.
Patches
If your product uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.
Affected Harbor versions are:
1.7.x prior to 1.7.6 (fixed in 1.7.6)
1.8.x prior to 1.8.3 (fixed in 1.8.3)
Workarounds
There are no workarounds outside of upgrading
References
https://nvd.nist.gov/vuln/detail/CVE-2019-16097
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
For more information
If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io
View our security policy at https://github.com/goharbor/harbor/security/policy
Open a ticket as per https://github.com/goharbor/harbor/issues/new/choose
Email us at cncf-harbor-security@lists.cncf.io
评论