CVE-2019-16097

Published Sep 8, 2019

Last updated 4 years ago

CVSS medium 6.5

Overview

Description: core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4
Impact score: 2.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:N/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-862

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A821F059-11AC-4F49-A252-5DC473ED6F2E"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6DAC0844-F418-457B-B97B-21B321BEC456"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3B0D228F-2398-4727-B25D-9C191A6B5B45"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C751ACB0-551E-44E3-9BAF-9DD5F51FA873"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "608DB219-F359-4056-8CE8-C360A57DDCE2"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FF3210DE-A99E-458E-AF49-3E8CD284D6AF"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "12809349-0DC1-4F4F-BB29-958717FD7C39"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5B45EDEE-EC64-474D-9959-6F1EAA1E6876"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "53503E8E-84B4-4CD1-8DDC-3C15BF98CEF9"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "096D5DC7-5898-4765-8E71-A89A5CABA54B"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3726DEC5-21ED-4E3D-9C3E-82D6762669AE"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C54E5105-221B-4911-A1DC-1736C20928B5"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "08F17BB4-0E84-4C73-B36C-E71D88D34FC9"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E228C4B2-24DE-4AEA-8485-35F2FFCF153D"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F734320C-329C-4E49-8516-62F5E4B0015F"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References