En

Harbor官网安全更新(2019-10-16)

来源:Harbor官网 发布日期:2019-10-16 阅读次数:334 评论:0

基本信息

发布日期:2019-10-16(官方当地时间)

更新类型:安全更新

更新版本:1.8.4 and 1.9.1

感知时间:2019-12-12 21:00:43

风险等级:严重

情报贡献:TSRC

更新标题

CVE-2019-16919

更新详情

Impact
The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Known Attack Vectors
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
Patches
If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v1.8.4
https://github.com/goharbor/harbor/releases/tag/v1.9.1

Workarounds
There is no workaround for this issue
For more information
If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io

View our security policy at https://github.com/goharbor/harbor/security/policy
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919

软件描述

暂无

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入