CVE-2019-3990

Published Dec 3, 2019

Last updated 4 years ago

CVSS medium 4.3

Overview

Description: A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
Source: vulnreport@tenable.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.3
Impact score: 1.4
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4
Impact score: 2.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-269

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F134317F-4296-42B6-8915-32810C62EA1E",
            "versionEndIncluding": "1.7.6",
            "versionStartIncluding": "1.7.0"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "026081A9-A57C-44AA-95CC-2E0A984748DF",
            "versionEndIncluding": "1.8.5",
            "versionStartIncluding": "1.8.0"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2AD98173-4AAE-485F-BA41-F0E575EFD6E8"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2C01B4A7-A85B-4057-9923-6AD82CE37C10"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.1:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4003793B-3CA7-462C-9B33-8898D4A6CFD4"
          },
          {
            "criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.1:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A8711FA8-827F-4887-BB20-53A4B0E6E9C9"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References