Impact

The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.

Patches

If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.

• https://github.com/goharbor/harbor/releases/tag/v1.8.4
• https://github.com/goharbor/harbor/releases/tag/v1.9.1

Workarounds

There is no workaround for this issue

For more information

If you have any questions or comments about this advisory, contact [email protected]

• View our security policy at https://github.com/goharbor/harbor/security/policy
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919