core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API. This is fixed in 1.9.0-rc1.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/goharbor/harbor | ge | 1.7.0 | |
github.com/goharbor/harbor | lt | 1.9.0-rc1 |
www.vmware.com/security/advisories/VMSA-2019-0015.html
github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517
github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1
github.com/goharbor/harbor/releases/tag/v1.7.6
github.com/goharbor/harbor/releases/tag/v1.8.3
github.com/ianxtianxt/CVE-2019-16097
nvd.nist.gov/vuln/detail/CVE-2019-16097
unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097