CVE-2019-16097

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Configurations

Configuration 1

cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*

Information

Published : 2019-09-08 04:15

Updated : 2020-08-24 05:37


NVD link : CVE-2019-16097

Mitre link : CVE-2019-16097

Products Affected
No products.
CWE