CVE-2019-16097

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*

History

No history.

Information

Published : 2019-09-08 16:15

Updated : 2024-02-04 20:20


NVD link : CVE-2019-16097

Mitre link : CVE-2019-16097

CVE.ORG link : CVE-2019-16097


JSON object : View

Products Affected

linuxfoundation

  • harbor
CWE
CWE-862

Missing Authorization