Vulnerabilites related to linuxfoundation - harbor
cve-2017-17697
Vulnerability from cvelistv5
Published
2017-12-15 09:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/vmware/harbor/issues/3755 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vmware/harbor/issues/3755"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vmware/harbor/issues/3755"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17697",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vmware/harbor/issues/3755",
"refsource": "MISC",
"url": "https://github.com/vmware/harbor/issues/3755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17697",
"datePublished": "2017-12-15T09:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-29662
Vulnerability from cvelistv5
Published
2021-02-02 20:54
Modified
2024-08-04 16:55
Severity ?
EPSS score ?
Summary
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog\u2019s registry API is exposed on an unauthenticated path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-02T20:54:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29662",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog\u2019s registry API is exposed on an unauthenticated path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29662",
"datePublished": "2021-02-02T20:54:33",
"dateReserved": "2020-12-09T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19023
Vulnerability from cvelistv5
Published
2020-03-20 02:22
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/security/advisories | x_refsource_MISC | |
| https://tanzu.vmware.com/security/cve-2019-19023 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:39.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T02:22:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19023",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/security/advisories",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"name": "https://tanzu.vmware.com/security/cve-2019-19023",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-19023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19023",
"datePublished": "2020-03-20T02:22:41",
"dateReserved": "2019-11-17T00:00:00",
"dateUpdated": "2024-08-05T02:02:39.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-20902
Vulnerability from cvelistv5
Published
2023-11-09 00:36
Modified
2024-09-04 13:18
Severity ?
EPSS score ?
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:11:13.739344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:18:17.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Project",
"vendor": "Harbor",
"versions": [
{
"status": "affected",
"version": "\u003c=Harbor 2.6.x, \u003c=Harbor 2.7.2, \u003c=Harbor 2.8.2, \u003c=Harbor 1.10.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to Porcupiney Hairs for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u0026nbsp; Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \u003cbr\u003ecreate jobs/stop job tasks and retrieve job task information.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T00:36:25.369Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Timing attack risk in Harbor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20902",
"datePublished": "2023-11-09T00:36:25.369Z",
"dateReserved": "2022-11-01T15:41:50.396Z",
"dateUpdated": "2024-09-04T13:18:17.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-46463
Vulnerability from cvelistv5
Published
2023-01-12 00:00
Modified
2024-08-03 14:31
Severity ?
EPSS score ?
Summary
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lanqingaa/123/blob/main/README.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Vad1mo"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor\u0027s position is that this \"is clearly described in the documentation as a feature.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/lanqingaa/123/blob/main/README.md"
},
{
"url": "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d"
},
{
"url": "https://github.com/Vad1mo"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-46463",
"datePublished": "2023-01-12T00:00:00",
"dateReserved": "2022-12-05T00:00:00",
"dateUpdated": "2024-08-03T14:31:46.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22278
Vulnerability from cvelistv5
Published
2024-08-02 00:59
Modified
2024-08-14 21:35
Severity ?
EPSS score ?
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T16:14:46.125656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T16:15:02.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "harbor",
"vendor": "harbor",
"versions": [
{
"lessThan": "\u003cv2.9.5",
"status": "affected",
"version": "2.9.4",
"versionType": "custom"
},
{
"lessThan": "\u003cv2.10.3",
"status": "affected",
"version": "2.10.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect user permission validation in Harbor \u0026lt;v2.9.5 and Harbor \u0026lt;v2.10.3 allows authenticated users to modify configurations."
}
],
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T21:35:37.751Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating project configurations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22278",
"datePublished": "2024-08-02T00:59:55.313Z",
"dateReserved": "2024-01-08T18:43:18.959Z",
"dateUpdated": "2024-08-14T21:35:37.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16919
Vulnerability from cvelistv5
Published
2019-10-18 11:59
Modified
2024-08-05 01:24
Severity ?
EPSS score ?
Summary
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.
References
| ▼ | URL | Tags |
|---|---|---|
| https://landscape.cncf.io/selected=harbor | x_refsource_MISC | |
| http://www.vmware.com/security/advisories/VMSA-2019-0016.html | x_refsource_CONFIRM | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://landscape.cncf.io/selected=harbor"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don\u0027t have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-18T12:00:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://landscape.cncf.io/selected=harbor"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don\u0027t have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://landscape.cncf.io/selected=harbor",
"refsource": "MISC",
"url": "https://landscape.cncf.io/selected=harbor"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
"refsource": "CONFIRM",
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16919",
"datePublished": "2019-10-18T11:59:57",
"dateReserved": "2019-09-26T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19029
Vulnerability from cvelistv5
Published
2020-03-20 02:02
Modified
2024-08-05 02:09
Severity ?
EPSS score ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/security/advisories | x_refsource_MISC | |
| https://tanzu.vmware.com/security/cve-2019-19029 | x_refsource_CONFIRM | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:09:37.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19029"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T02:02:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19029"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19029",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/security/advisories",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"name": "https://tanzu.vmware.com/security/cve-2019-19029",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-19029"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19029",
"datePublished": "2020-03-20T02:02:28",
"dateReserved": "2019-11-17T00:00:00",
"dateUpdated": "2024-08-05T02:09:37.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19030
Vulnerability from cvelistv5
Published
2022-12-26 00:00
Modified
2024-08-05 02:09
Severity ?
EPSS score ?
Summary
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:09:37.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-26T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19030",
"datePublished": "2022-12-26T00:00:00",
"dateReserved": "2019-11-17T00:00:00",
"dateUpdated": "2024-08-05T02:09:37.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16097
Vulnerability from cvelistv5
Published
2019-09-08 15:22
Modified
2024-08-05 01:03
Severity ?
EPSS score ?
Summary
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517 | x_refsource_MISC | |
| https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1 | x_refsource_MISC | |
| https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/ | x_refsource_MISC | |
| https://github.com/goharbor/harbor/releases/tag/v1.8.3 | x_refsource_MISC | |
| https://github.com/goharbor/harbor/releases/tag/v1.7.6 | x_refsource_MISC | |
| http://www.vmware.com/security/advisories/VMSA-2019-0015.html | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-24T17:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16097",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"
},
{
"name": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"
},
{
"name": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
"refsource": "MISC",
"url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"
},
{
"name": "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3"
},
{
"name": "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6"
},
{
"name": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
"refsource": "CONFIRM",
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16097",
"datePublished": "2019-09-08T15:22:49",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31668
Vulnerability from cvelistv5
Published
2024-11-14 11:56
Modified
2024-11-14 19:33
Severity ?
EPSS score ?
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T18:53:45.416941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:33:24.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating p2p preheat policies.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:56:31.043Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User permission validation failure and disclosure of P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31668",
"datePublished": "2024-11-14T11:56:31.043Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T19:33:24.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19025
Vulnerability from cvelistv5
Published
2020-03-20 02:01
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/security/advisories | x_refsource_MISC | |
| https://tanzu.vmware.com/security/cve-2019-19025 | x_refsource_CONFIRM | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:39.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19025"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T02:01:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19025"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/security/advisories",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"name": "https://tanzu.vmware.com/security/cve-2019-19025",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-19025"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19025",
"datePublished": "2020-03-20T02:01:41",
"dateReserved": "2019-11-17T00:00:00",
"dateUpdated": "2024-08-05T02:02:39.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19026
Vulnerability from cvelistv5
Published
2020-03-20 02:01
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/security/advisories | x_refsource_MISC | |
| https://tanzu.vmware.com/security/cve-2019-19026 | x_refsource_CONFIRM | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:40.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19026"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T02:01:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19026"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/security/advisories",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"name": "https://tanzu.vmware.com/security/cve-2019-19026",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-19026"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19026",
"datePublished": "2020-03-20T02:01:55",
"dateReserved": "2019-11-17T00:00:00",
"dateUpdated": "2024-08-05T02:02:40.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3990
Vulnerability from cvelistv5
Published
2019-12-03 16:55
Modified
2024-08-04 19:26
Severity ?
EPSS score ?
Summary
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.tenable.com/security/research/tra-2019-50 | x_refsource_MISC | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:26:27.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor versions 1.9.1 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-03T16:55:15",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"ID": "CVE-2019-3990",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Harbor",
"version": {
"version_data": [
{
"version_value": "Harbor versions 1.9.1 and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2019-50",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
"refsource": "CONFIRM",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2019-3990",
"datePublished": "2019-12-03T16:55:15",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-08-04T19:26:27.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13794
Vulnerability from cvelistv5
Published
2020-09-29 20:17
Modified
2024-08-04 12:25
Severity ?
EPSS score ?
Summary
Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/releases | x_refsource_MISC | |
| https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432 | x_refsource_MISC | |
| https://www.cybereagle.io/blog/cve-2020-13794/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cybereagle.io/blog/cve-2020-13794/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-30T18:45:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cybereagle.io/blog/cve-2020-13794/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13794",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/releases",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/releases"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432"
},
{
"name": "https://www.cybereagle.io/blog/cve-2020-13794/",
"refsource": "MISC",
"url": "https://www.cybereagle.io/blog/cve-2020-13794/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13794",
"datePublished": "2020-09-29T20:17:10",
"dateReserved": "2020-06-03T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13788
Vulnerability from cvelistv5
Published
2020-07-15 20:04
Modified
2024-08-04 12:25
Severity ?
EPSS score ?
Summary
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/goharbor/harbor/releases | x_refsource_MISC | |
| https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788 | x_refsource_CONFIRM | |
| https://www.youtube.com/watch?v=v8Isqy4yR3Q | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=v8Isqy4yR3Q"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server\u0027s intranet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-15T20:04:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=v8Isqy4yR3Q"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13788",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server\u0027s intranet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/goharbor/harbor/releases",
"refsource": "MISC",
"url": "https://github.com/goharbor/harbor/releases"
},
{
"name": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
"refsource": "CONFIRM",
"url": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"
},
{
"name": "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=v8Isqy4yR3Q"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13788",
"datePublished": "2020-07-15T20:04:57",
"dateReserved": "2020-06-03T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31671
Vulnerability from cvelistv5
Published
2024-11-14 11:42
Modified
2024-11-14 14:10
Severity ?
EPSS score ?
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:09.378741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:27.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;could read all the job logs stored in the Harbor database.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u00a0could read all the job logs stored in the Harbor database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:42:22.373Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"
},
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when reading and updating job execution logs through the P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31671",
"datePublished": "2024-11-14T11:42:22.373Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:10:27.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31667
Vulnerability from cvelistv5
Published
2024-11-14 11:50
Modified
2024-11-14 14:11
Severity ?
EPSS score ?
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:48.659302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:11:06.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating a robot account that\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebelongs to a project that the authenticated user doesn\u2019t have access to.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request that attempts to update a robot account, and specifying a robot\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eaccount id and robot account name that belongs to a different project that the user\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edoesn\u2019t have access to, it was possible to revoke the robot account permissions.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating a robot account that\u00a0belongs to a project that the authenticated user doesn\u2019t have access to.\u00a0\n\nBy sending a request that attempts to update a robot account, and specifying a robot\u00a0account id and robot account name that belongs to a different project that the user\u00a0doesn\u2019t have access to, it was possible to revoke the robot account permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:50:48.289Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating a robot account",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31667",
"datePublished": "2024-11-14T11:50:48.289Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T14:11:06.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31670
Vulnerability from cvelistv5
Published
2024-11-14 11:45
Modified
2024-11-14 14:09
Severity ?
EPSS score ?
Summary
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:09:30.950454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:09:48.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag retention policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag retention policy with an id that belongs to a project\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethat the currently authenticated user doesn\u2019t have access to, the attacker could modify\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003etag retention policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag retention policies.\u00a0\n\nBy sending a request to update a tag retention policy with an id that belongs to a project\u00a0that the currently authenticated user doesn\u2019t have access to, the attacker could modify\ntag retention policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:45:22.257Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag retention policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31670",
"datePublished": "2024-11-14T11:45:22.257Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:09:48.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31669
Vulnerability from cvelistv5
Published
2024-11-14 11:48
Modified
2024-11-15 17:30
Severity ?
EPSS score ?
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:30:12.401196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:30:33.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag immutability policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag immutability policy with an id that belongs to a\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eproject that the currently authenticated user doesn\u2019t have access to, the attacker could\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodify tag immutability policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag immutability policies.\u00a0\n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn\u2019t have access to, the attacker could\nmodify tag immutability policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:48:03.444Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag immutability policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31669",
"datePublished": "2024-11-14T11:48:03.444Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-15T17:30:33.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:25
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de precalentamiento P2P. Al enviar una solicitud para actualizar una pol\u00edtica de precalentamiento P2P con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de precalentamiento P2P configuradas en otros proyectos."
}
],
"id": "CVE-2022-31668",
"lastModified": "2024-11-19T15:25:25.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.607",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:40
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u00a0could read all the job logs stored in the Harbor database."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al leer y actualizar los registros de ejecuci\u00f3n de trabajos a trav\u00e9s de los registros de ejecuci\u00f3n de precalentamiento P2P. Al enviar una solicitud que intenta leer o actualizar los registros de ejecuci\u00f3n de precalentamiento P2P y especificar diferentes identificadores de trabajo, los usuarios autenticados malintencionados podr\u00edan leer todos los registros de trabajo almacenados en la base de datos de Harbor."
}
],
"id": "CVE-2022-31671",
"lastModified": "2024-11-19T15:40:44.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:17.250",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
},
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-15 21:15
Modified
2024-11-21 05:01
Severity ?
Summary
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/releases | Third Party Advisory | |
| cve@mitre.org | https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.youtube.com/watch?v=v8Isqy4yR3Q | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/releases | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.youtube.com/watch?v=v8Isqy4yR3Q | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "49E675AC-61F8-448D-A981-752BB48390A8",
"versionEndExcluding": "2.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server\u0027s intranet."
},
{
"lang": "es",
"value": "Harbor versiones anteriores a 2.0.1, permite un ataque de tipo SSRF con esta limitaci\u00f3n: un atacante con la capacidad de editar proyectos puede escanear puertos de hosts accesibles en la intranet del servidor Harbor"
}
],
"id": "CVE-2020-13788",
"lastModified": "2024-11-21T05:01:51.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-15T21:15:12.300",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.youtube.com/watch?v=v8Isqy4yR3Q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.youtube.com/watch?v=v8Isqy4yR3Q"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-30 18:15
Modified
2024-11-21 05:01
Severity ?
Summary
Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/releases | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432 | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.cybereagle.io/blog/cve-2020-13794/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cybereagle.io/blog/cve-2020-13794/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0C24CE4-93BD-48EB-824C-D89FBE1A9C36",
"versionEndExcluding": "2.0.3",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor."
},
{
"lang": "es",
"value": "Harbour versiones 1.9.* 1.10.* Y 2.0.*, permite una Exposici\u00f3n de Informaci\u00f3n Confidencial hacia un actor no autorizado"
}
],
"id": "CVE-2020-13794",
"lastModified": "2024-11-21T05:01:52.297",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-30T18:15:21.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cybereagle.io/blog/cve-2020-13794/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cybereagle.io/blog/cve-2020-13794/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-26 22:15
Modified
2024-11-21 04:34
Severity ?
Summary
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D1EA38-68D8-4AAD-BCFD-E3D57E935A73",
"versionEndExcluding": "1.10.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F8ED53E-A64A-49BE-A24A-CDF37E6D3255",
"versionEndExcluding": "2.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists."
},
{
"lang": "es",
"value": "Cloud Native Computing Foundation Harbor anterior a 1.10.3 y 2.x anterior a 2.0.1 permite la enumeraci\u00f3n de recursos porque las llamadas API no autenticadas revelan (a trav\u00e9s del c\u00f3digo de estado HTTP) si existe un recurso."
}
],
"id": "CVE-2019-19030",
"lastModified": "2024-11-21T04:34:01.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-26T22:15:10.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:20
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A003057-D07D-42FC-823E-750DE181D14D",
"versionEndExcluding": "1.10.13",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating tag retention policies.\u00a0\n\nBy sending a request to update a tag retention policy with an id that belongs to a project\u00a0that the currently authenticated user doesn\u2019t have access to, the attacker could modify\ntag retention policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de retenci\u00f3n de etiquetas. Al enviar una solicitud para actualizar una pol\u00edtica de retenci\u00f3n de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de retenci\u00f3n de etiquetas configuradas en otros proyectos."
}
],
"id": "CVE-2022-31670",
"lastModified": "2024-11-19T15:20:54.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:17.040",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://tanzu.vmware.com/security/cve-2019-19023 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2019-19023 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| pivotal | vmware_harbor_registry | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E5A15D3-299C-482C-A798-20198E91D47B",
"versionEndExcluding": "1.8.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0829EA39-6511-45B4-9EB1-88CD2F38703F",
"versionEndExcluding": "1.9.3",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform."
},
{
"lang": "es",
"value": "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, presenta una Vulnerabilidad de Escalada de Privilegios en el VMware Harbor Container Registry para la Pivotal Platform."
}
],
"id": "CVE-2019-19023",
"lastModified": "2024-11-21T04:34:01.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-20T03:15:13.090",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19023"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-02 01:15
Modified
2024-08-14 22:15
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E90E376-D680-4DB6-90B9-81B7144C287F",
"versionEndExcluding": "2.9.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BFE92EA-3C83-4C23-BDB3-FDDCAF9A6BA8",
"versionEndExcluding": "2.10.3",
"versionStartIncluding": "2.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
},
{
"lang": "es",
"value": " La validaci\u00f3n de permisos de usuario incorrecta en Harbor "
}
],
"id": "CVE-2024-22278",
"lastModified": "2024-08-14T22:15:04.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-02T01:15:23.077",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-18 12:15
Modified
2024-11-21 04:31
Severity ?
Summary
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.vmware.com/security/advisories/VMSA-2019-0016.html | Third Party Advisory | |
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 | Patch, Third Party Advisory | |
| cve@mitre.org | https://landscape.cncf.io/selected=harbor | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.vmware.com/security/advisories/VMSA-2019-0016.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://landscape.cncf.io/selected=harbor | Product, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | 1.9.0 | |
| vmware | cloud_foundation | - | |
| vmware | harbor_container_registry | * | |
| vmware | harbor_container_registry | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A78D74C0-A7FA-4F4E-9238-5A31F4C94A4D",
"versionEndIncluding": "1.8.3",
"versionStartIncluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "93DEFD35-079B-47BC-B82A-8C43804660C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "31A7BB38-3238-413E-9736-F1A165D40867",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:harbor_container_registry:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "D927AFA0-8F21-48A5-9A0A-C62CF9AD786F",
"versionEndIncluding": "1.7.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:harbor_container_registry:*:*:*:*:*:pivotal_cloud_foundry:*:*",
"matchCriteriaId": "D3848163-C044-4D72-A7DE-FE510C428596",
"versionEndExcluding": "1.8.4",
"versionStartIncluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don\u0027t have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account."
},
{
"lang": "es",
"value": "La API de Harbor tiene una vulnerabilidad de Control de Acceso Interrumpido. La vulnerabilidad permite a los administradores de proyectos utilizar la API de Harbor para crear una cuenta robot con permisos de acceso no autorizados para presionar y/o arrastrar en un proyecto al que no tienen acceso o control. La API de Harbor aplic\u00f3 los permisos y el alcance del proyecto apropiados en la petici\u00f3n de API para crear una nueva cuenta robot."
}
],
"id": "CVE-2019-16919",
"lastModified": "2024-11-21T04:31:20.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-18T12:15:10.190",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://landscape.cncf.io/selected=harbor"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://landscape.cncf.io/selected=harbor"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-09 01:15
Modified
2024-11-21 07:41
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "225BD7C9-8163-410E-80C3-25FA2DB3E17F",
"versionEndExcluding": "1.10.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "752DA342-ED60-4E9E-BB1B-B73CE61A95FF",
"versionEndIncluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB5FC66-7E27-4199-9E68-698F222039F9",
"versionEndExcluding": "2.7.3",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D7140D-E5FB-4A2E-85D2-48BF5AB512C5",
"versionEndExcluding": "2.8.3",
"versionStartIncluding": "2.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
},
{
"lang": "es",
"value": "Una condici\u00f3n de sincronizaci\u00f3n en Harbor 2.6.x y anteriores, Harbor 2.7.2 y anteriores, Harbor 2.8.2 y anteriores y Harbor 1.10.17 y anteriores permite a un atacante con acceso a la red crear trabajos/detener tareas de trabajo y recuperar informaci\u00f3n de tareas de trabajo. ."
}
],
"id": "CVE-2023-20902",
"lastModified": "2024-11-21T07:41:47.283",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-09T01:15:07.660",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-03 17:15
Modified
2024-11-21 04:43
Severity ?
Summary
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vulnreport@tenable.com | https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg | Patch, Third Party Advisory | |
| vulnreport@tenable.com | https://www.tenable.com/security/research/tra-2019-50 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.tenable.com/security/research/tra-2019-50 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | 1.9.0 | |
| linuxfoundation | harbor | 1.9.0 | |
| linuxfoundation | harbor | 1.9.0 | |
| linuxfoundation | harbor | 1.9.1 | |
| linuxfoundation | harbor | 1.9.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F134317F-4296-42B6-8915-32810C62EA1E",
"versionEndIncluding": "1.7.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "026081A9-A57C-44AA-95CC-2E0A984748DF",
"versionEndIncluding": "1.8.5",
"versionStartIncluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2AD98173-4AAE-485F-BA41-F0E575EFD6E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2C01B4A7-A85B-4057-9923-6AD82CE37C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.1:-:*:*:*:*:*:*",
"matchCriteriaId": "4003793B-3CA7-462C-9B33-8898D4A6CFD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A8711FA8-827F-4887-BB20-53A4B0E6E9C9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality."
},
{
"lang": "es",
"value": "Se presenta un fallo de Enumeraci\u00f3n de Usuarios en Harbor. El problema est\u00e1 presente en el endpoint de la API \"/users\". Se supone que este endpoint est\u00e1 restringido a los administradores. Esta restricci\u00f3n puede ser omitida y la informaci\u00f3n puede ser obtenida acerca de los usuarios registrados por medio de la funcionalidad \"search\"."
}
],
"id": "CVE-2019-3990",
"lastModified": "2024-11-21T04:43:01.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-03T17:15:11.727",
"references": [
{
"source": "vulnreport@tenable.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
},
{
"source": "vulnreport@tenable.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
}
],
"sourceIdentifier": "vulnreport@tenable.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:25
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating a robot account that\u00a0belongs to a project that the authenticated user doesn\u2019t have access to.\u00a0\n\nBy sending a request that attempts to update a robot account, and specifying a robot\u00a0account id and robot account name that belongs to a different project that the user\u00a0doesn\u2019t have access to, it was possible to revoke the robot account permissions."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar una cuenta de robot que pertenece a un proyecto al que el usuario autenticado no tiene acceso. Al enviar una solicitud que intenta actualizar una cuenta de robot y especificar un ID y un nombre de cuenta de robot que pertenecen a un proyecto diferente al que el usuario no tiene acceso, fue posible revocar los permisos de la cuenta de robot."
}
],
"id": "CVE-2022-31667",
"lastModified": "2024-11-19T15:25:29.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.390",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 | Third Party Advisory | |
| cve@mitre.org | https://tanzu.vmware.com/security/cve-2019-19025 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2019-19025 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| pivotal | vmware_harbor_registry | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E5A15D3-299C-482C-A798-20198E91D47B",
"versionEndExcluding": "1.8.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0829EA39-6511-45B4-9EB1-88CD2F38703F",
"versionEndExcluding": "1.9.3",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform."
},
{
"lang": "es",
"value": "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite un ataque de tipo CSRF en el VMware Harbor Container Registry para la Pivotal Platform."
}
],
"id": "CVE-2019-19025",
"lastModified": "2024-11-21T04:34:01.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-20T03:15:13.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19025"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:20
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating tag immutability policies.\u00a0\n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn\u2019t have access to, the attacker could\nmodify tag immutability policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de inmutabilidad de etiquetas. Al enviar una solicitud para actualizar una pol\u00edtica de inmutabilidad de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de inmutabilidad de etiquetas configuradas en otros proyectos."
}
],
"id": "CVE-2022-31669",
"lastModified": "2024-11-19T15:20:01.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.817",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-15 09:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vmware/harbor/issues/3755 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vmware/harbor/issues/3755 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | 1.3.0 | |
| linuxfoundation | harbor | 1.3.0 | |
| linuxfoundation | harbor | 1.3.0 | |
| linuxfoundation | harbor | 1.3.0 | |
| linuxfoundation | harbor | 1.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFA993FF-65EA-4E68-A42D-DC90BF6EB5BD",
"versionEndExcluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E30D81B7-F0CF-48A6-9609-3F9E99BB2C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A3431146-523A-406B-BA09-D87ADE1A366B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "8D8132A2-22DD-4AFE-946B-CCE77A269CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "477AE0D2-7564-4DCC-9A13-DD6830B3EF7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "92BBA071-38DE-410C-92CA-B626F768BA9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping."
},
{
"lang": "es",
"value": "La funci\u00f3n Ping() en ui/api/target.go en Harbor hasta la versi\u00f3n 1.3.0-rc4 tiene SSRF mediante el par\u00e1metro endpoint en /api/targets/ping."
}
],
"id": "CVE-2017-17697",
"lastModified": "2024-11-21T03:18:28.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-15T09:29:00.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vmware/harbor/issues/3755"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vmware/harbor/issues/3755"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w | Third Party Advisory | |
| cve@mitre.org | https://tanzu.vmware.com/security/cve-2019-19029 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2019-19029 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| pivotal | vmware_harbor_registry | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E5A15D3-299C-482C-A798-20198E91D47B",
"versionEndExcluding": "1.8.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0829EA39-6511-45B4-9EB1-88CD2F38703F",
"versionEndExcluding": "1.9.3",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform."
},
{
"lang": "es",
"value": "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyecci\u00f3n SQL por medio de grupos de usuarios en el VMware Harbor Container Registry para la Pivotal Platform."
}
],
"id": "CVE-2019-19029",
"lastModified": "2024-11-21T04:34:01.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-20T03:15:13.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19029"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-13 00:15
Modified
2024-11-21 07:30
Severity ?
Summary
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Vad1mo | Third Party Advisory | |
| cve@mitre.org | https://github.com/lanqingaa/123/blob/main/README.md | Third Party Advisory | |
| cve@mitre.org | https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Vad1mo | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lanqingaa/123/blob/main/README.md | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d | Broken Link |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C3E47565-584B-46C0-B78C-5091758B5F8A",
"versionEndIncluding": "2.5.3",
"versionStartIncluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor\u0027s position is that this \"is clearly described in the documentation as a feature.\""
},
{
"lang": "es",
"value": "Un problema de control de acceso en Harbor v1.XX a v2.5.3 permite a los atacantes acceder a repositorios de im\u00e1genes p\u00fablicos y privados sin autenticaci\u00f3n. NOTA: la posici\u00f3n del proveedor es que esto \"se describe claramente en la documentaci\u00f3n como una caracter\u00edstica\"."
}
],
"id": "CVE-2022-46463",
"lastModified": "2024-11-21T07:30:36.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-13T00:15:09.673",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Vad1mo"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/lanqingaa/123/blob/main/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Vad1mo"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/lanqingaa/123/blob/main/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-08 16:15
Modified
2024-11-21 04:30
Severity ?
Summary
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | 1.7.0 | |
| linuxfoundation | harbor | 1.7.0 | |
| linuxfoundation | harbor | 1.7.0 | |
| linuxfoundation | harbor | 1.7.1 | |
| linuxfoundation | harbor | 1.7.2 | |
| linuxfoundation | harbor | 1.7.3 | |
| linuxfoundation | harbor | 1.7.4 | |
| linuxfoundation | harbor | 1.7.5 | |
| linuxfoundation | harbor | 1.8.0 | |
| linuxfoundation | harbor | 1.8.0 | |
| linuxfoundation | harbor | 1.8.0 | |
| linuxfoundation | harbor | 1.8.1 | |
| linuxfoundation | harbor | 1.8.2 | |
| linuxfoundation | harbor | 1.8.2 | |
| linuxfoundation | harbor | 1.8.2 | |
| linuxfoundation | harbor | 1.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "A821F059-11AC-4F49-A252-5DC473ED6F2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6DAC0844-F418-457B-B97B-21B321BEC456",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3B0D228F-2398-4727-B25D-9C191A6B5B45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C751ACB0-551E-44E3-9BAF-9DD5F51FA873",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "608DB219-F359-4056-8CE8-C360A57DDCE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF3210DE-A99E-458E-AF49-3E8CD284D6AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "12809349-0DC1-4F4F-BB29-958717FD7C39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5B45EDEE-EC64-474D-9959-6F1EAA1E6876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "53503E8E-84B4-4CD1-8DDC-3C15BF98CEF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "096D5DC7-5898-4765-8E71-A89A5CABA54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3726DEC5-21ED-4E3D-9C3E-82D6762669AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C54E5105-221B-4911-A1DC-1736C20928B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "08F17BB4-0E84-4C73-B36C-E71D88D34FC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E228C4B2-24DE-4AEA-8485-35F2FFCF153D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "F734320C-329C-4E49-8516-62F5E4B0015F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP."
},
{
"lang": "es",
"value": "core/api/user.go en Harbor versi\u00f3n 1.7.0 hasta la versi\u00f3n 1.8.2 permite a los usuarios que no son administradores crear cuentas de administrador mediante el POST /api/users API, cuando Harbor se configura con DB como back-end de autenticaci\u00f3n y permite al usuario realizar el autorregistro. Esto se corrige en la versi\u00f3n 1.7.6, versi\u00f3n 1.8.3. versi\u00f3n 1.9.0. Soluci\u00f3n alternativa sin aplicar la correcci\u00f3n: configure Harbor para que utilice el backend de autenticaci\u00f3n que no sea de base de datos, como LDAP."
}
],
"id": "CVE-2019-16097",
"lastModified": "2024-11-21T04:30:01.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-08T16:15:11.820",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-02 21:15
Modified
2024-11-21 05:24
Severity ?
Summary
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D58664D0-96A3-4C90-9977-3D0DE6C416EC",
"versionEndExcluding": "2.0.5",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E3CC6E9-54C3-4DC8-96D8-7B28F9A55CD2",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog\u2019s registry API is exposed on an unauthenticated path."
},
{
"lang": "es",
"value": "En Harbour versiones 2.0 anteriores a 2.0.5 y versiones 2.1.x anteriores a 2.1.2, la API de registro del cat\u00e1logo est\u00e1 expuesta en una ruta no autenticada"
}
],
"id": "CVE-2020-29662",
"lastModified": "2024-11-21T05:24:23.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-02T21:15:13.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64 | Third Party Advisory | |
| cve@mitre.org | https://tanzu.vmware.com/security/cve-2019-19026 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tanzu.vmware.com/security/cve-2019-19026 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| pivotal | vmware_harbor_registry | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E5A15D3-299C-482C-A798-20198E91D47B",
"versionEndExcluding": "1.8.6",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0829EA39-6511-45B4-9EB1-88CD2F38703F",
"versionEndExcluding": "1.9.3",
"versionStartIncluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform."
},
{
"lang": "es",
"value": "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyecci\u00f3n SQL por medio de cuotas de proyecto en el VMware Harbor Container Registry para la Pivotal Platform."
}
],
"id": "CVE-2019-19026",
"lastModified": "2024-11-21T04:34:01.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-20T03:15:13.310",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tanzu.vmware.com/security/cve-2019-19026"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}