Vulnerabilites related to linuxfoundation - harbor
Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4E5A15D3-299C-482C-A798-20198E91D47B",
                     versionEndExcluding: "1.8.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0829EA39-6511-45B4-9EB1-88CD2F38703F",
                     versionEndExcluding: "1.9.3",
                     versionStartIncluding: "1.9.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.",
      },
      {
         lang: "es",
         value: "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, presenta una Vulnerabilidad de Escalada de Privilegios en el VMware Harbor Container Registry para la Pivotal Platform.",
      },
   ],
   id: "CVE-2019-19023",
   lastModified: "2024-11-21T04:34:01.017",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-20T03:15:13.090",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19023",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19023",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:20
Summary
Harbor fails to validate the user permissions when updating tag retention policies.  By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A003057-D07D-42FC-823E-750DE181D14D",
                     versionEndExcluding: "1.10.13",
                     versionStartIncluding: "1.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14BEA987-A012-4745-A79A-7BCF5E9CD567",
                     versionEndExcluding: "2.4.3",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B643770-6018-4D81-B386-91011E437F0D",
                     versionEndExcluding: "2.5.2",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor fails to validate the user permissions when updating tag retention policies. \n\nBy sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify\ntag retention policies configured in other projects.",
      },
      {
         lang: "es",
         value: "Harbor no puede validar los permisos de usuario al actualizar las políticas de retención de etiquetas. Al enviar una solicitud para actualizar una política de retención de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podría modificar las políticas de retención de etiquetas configuradas en otros proyectos.",
      },
   ],
   id: "CVE-2022-31670",
   lastModified: "2024-11-19T15:20:54.243",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.7,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 4,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.7,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-14T12:15:17.040",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-863",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:25
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.  By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14BEA987-A012-4745-A79A-7BCF5E9CD567",
                     versionEndExcluding: "2.4.3",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B643770-6018-4D81-B386-91011E437F0D",
                     versionEndExcluding: "2.5.2",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. \n\nBy sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.",
      },
      {
         lang: "es",
         value: "Harbor no puede validar los permisos de usuario al actualizar una cuenta de robot que pertenece a un proyecto al que el usuario autenticado no tiene acceso. Al enviar una solicitud que intenta actualizar una cuenta de robot y especificar un ID y un nombre de cuenta de robot que pertenecen a un proyecto diferente al que el usuario no tiene acceso, fue posible revocar los permisos de la cuenta de robot.",
      },
   ],
   id: "CVE-2022-31667",
   lastModified: "2024-11-19T15:25:29.643",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 6.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 2.7,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 6.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-14T12:15:16.390",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-863",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2019-09-08 16:15
Modified
2024-11-21 04:30
Summary
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*",
                     matchCriteriaId: "A821F059-11AC-4F49-A252-5DC473ED6F2E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "6DAC0844-F418-457B-B97B-21B321BEC456",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "3B0D228F-2398-4727-B25D-9C191A6B5B45",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "C751ACB0-551E-44E3-9BAF-9DD5F51FA873",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "608DB219-F359-4056-8CE8-C360A57DDCE2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "FF3210DE-A99E-458E-AF49-3E8CD284D6AF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "12809349-0DC1-4F4F-BB29-958717FD7C39",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "5B45EDEE-EC64-474D-9959-6F1EAA1E6876",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*",
                     matchCriteriaId: "53503E8E-84B4-4CD1-8DDC-3C15BF98CEF9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "096D5DC7-5898-4765-8E71-A89A5CABA54B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "3726DEC5-21ED-4E3D-9C3E-82D6762669AE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "C54E5105-221B-4911-A1DC-1736C20928B5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*",
                     matchCriteriaId: "08F17BB4-0E84-4C73-B36C-E71D88D34FC9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "E228C4B2-24DE-4AEA-8485-35F2FFCF153D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "F734320C-329C-4E49-8516-62F5E4B0015F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.",
      },
      {
         lang: "es",
         value: "core/api/user.go en Harbor versión 1.7.0 hasta la versión 1.8.2 permite a los usuarios que no son administradores crear cuentas de administrador mediante el POST /api/users API, cuando Harbor se configura con DB como back-end de autenticación y permite al usuario realizar el autorregistro. Esto se corrige en la versión 1.7.6, versión 1.8.3. versión 1.9.0. Solución alternativa sin aplicar la corrección: configure Harbor para que utilice el backend de autenticación que no sea de base de datos, como LDAP.",
      },
   ],
   id: "CVE-2019-16097",
   lastModified: "2024-11-21T04:30:01.773",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-09-08T16:15:11.820",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-862",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-09-30 18:15
Modified
2024-11-21 05:01
Summary
Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.
Impacted products
Vendor Product Version
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0C24CE4-93BD-48EB-824C-D89FBE1A9C36",
                     versionEndExcluding: "2.0.3",
                     versionStartIncluding: "1.9.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.",
      },
      {
         lang: "es",
         value: "Harbour versiones 1.9.* 1.10.* Y 2.0.*, permite una Exposición de Información Confidencial hacia un actor no autorizado",
      },
   ],
   id: "CVE-2020-13794",
   lastModified: "2024-11-21T05:01:52.297",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-09-30T18:15:21.193",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.cybereagle.io/blog/cve-2020-13794/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.cybereagle.io/blog/cve-2020-13794/",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-862",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4E5A15D3-299C-482C-A798-20198E91D47B",
                     versionEndExcluding: "1.8.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0829EA39-6511-45B4-9EB1-88CD2F38703F",
                     versionEndExcluding: "1.9.3",
                     versionStartIncluding: "1.9.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.",
      },
      {
         lang: "es",
         value: "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de cuotas de proyecto en el VMware Harbor Container Registry para la Pivotal Platform.",
      },
   ],
   id: "CVE-2019-19026",
   lastModified: "2024-11-21T04:34:01.290",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-20T03:15:13.310",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19026",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19026",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-89",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4E5A15D3-299C-482C-A798-20198E91D47B",
                     versionEndExcluding: "1.8.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0829EA39-6511-45B4-9EB1-88CD2F38703F",
                     versionEndExcluding: "1.9.3",
                     versionStartIncluding: "1.9.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.",
      },
      {
         lang: "es",
         value: "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite un ataque de tipo CSRF en el VMware Harbor Container Registry para la Pivotal Platform.",
      },
   ],
   id: "CVE-2019-19025",
   lastModified: "2024-11-21T04:34:01.150",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.8,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-20T03:15:13.200",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19025",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19025",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-352",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-07-15 21:15
Modified
2024-11-21 05:01
Summary
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
Impacted products
Vendor Product Version
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "49E675AC-61F8-448D-A981-752BB48390A8",
                     versionEndExcluding: "2.0.1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.",
      },
      {
         lang: "es",
         value: "Harbor versiones anteriores a 2.0.1, permite un ataque de tipo SSRF con esta limitación: un atacante con la capacidad de editar proyectos puede escanear puertos de hosts accesibles en la intranet del servidor Harbor",
      },
   ],
   id: "CVE-2020-13788",
   lastModified: "2024-11-21T05:01:51.537",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-07-15T21:15:12.300",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/releases",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-918",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2019-12-03 17:15
Modified
2024-11-21 04:43
Summary
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F134317F-4296-42B6-8915-32810C62EA1E",
                     versionEndIncluding: "1.7.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "026081A9-A57C-44AA-95CC-2E0A984748DF",
                     versionEndIncluding: "1.8.5",
                     versionStartIncluding: "1.8.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.0:-:*:*:*:*:*:*",
                     matchCriteriaId: "2AD98173-4AAE-485F-BA41-F0E575EFD6E8",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "EB9B2E26-AD5F-4B79-A3E1-46355602B4ED",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "2C01B4A7-A85B-4057-9923-6AD82CE37C10",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.1:-:*:*:*:*:*:*",
                     matchCriteriaId: "4003793B-3CA7-462C-9B33-8898D4A6CFD4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.1:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "A8711FA8-827F-4887-BB20-53A4B0E6E9C9",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality.",
      },
      {
         lang: "es",
         value: "Se presenta un fallo de Enumeración de Usuarios en Harbor. El problema está presente en el endpoint de la API \"/users\". Se supone que este endpoint está restringido a los administradores. Esta restricción puede ser omitida y la información puede ser obtenida acerca de los usuarios registrados por medio de la funcionalidad \"search\".",
      },
   ],
   id: "CVE-2019-3990",
   lastModified: "2024-11-21T04:43:01.013",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 4,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-12-03T17:15:11.727",
   references: [
      {
         source: "vulnreport@tenable.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
      },
      {
         source: "vulnreport@tenable.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.tenable.com/security/research/tra-2019-50",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.tenable.com/security/research/tra-2019-50",
      },
   ],
   sourceIdentifier: "vulnreport@tenable.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-269",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:40
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14BEA987-A012-4745-A79A-7BCF5E9CD567",
                     versionEndExcluding: "2.4.3",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B643770-6018-4D81-B386-91011E437F0D",
                     versionEndExcluding: "2.5.2",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.",
      },
      {
         lang: "es",
         value: "Harbor no puede validar los permisos de usuario al leer y actualizar los registros de ejecución de trabajos a través de los registros de ejecución de precalentamiento P2P. Al enviar una solicitud que intenta leer o actualizar los registros de ejecución de precalentamiento P2P y especificar diferentes identificadores de trabajo, los usuarios autenticados malintencionados podrían leer todos los registros de trabajo almacenados en la base de datos de Harbor.",
      },
   ],
   id: "CVE-2022-31671",
   lastModified: "2024-11-19T15:40:44.150",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 7.4,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 3.7,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 7.4,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 3.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-14T12:15:17.250",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7",
      },
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-863",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2017-12-15 09:29
Modified
2024-11-21 03:18
Summary
The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AFA993FF-65EA-4E68-A42D-DC90BF6EB5BD",
                     versionEndExcluding: "1.3.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.3.0:-:*:*:*:*:*:*",
                     matchCriteriaId: "E30D81B7-F0CF-48A6-9609-3F9E99BB2C91",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "A3431146-523A-406B-BA09-D87ADE1A366B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "8D8132A2-22DD-4AFE-946B-CCE77A269CE0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc3:*:*:*:*:*:*",
                     matchCriteriaId: "477AE0D2-7564-4DCC-9A13-DD6830B3EF7E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.3.0:rc4:*:*:*:*:*:*",
                     matchCriteriaId: "92BBA071-38DE-410C-92CA-B626F768BA9F",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.",
      },
      {
         lang: "es",
         value: "La función Ping() en ui/api/target.go en Harbor hasta la versión 1.3.0-rc4 tiene SSRF mediante el parámetro endpoint en /api/targets/ping.",
      },
   ],
   id: "CVE-2017-17697",
   lastModified: "2024-11-21T03:18:28.923",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 8.6,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2017-12-15T09:29:00.437",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/vmware/harbor/issues/3755",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/vmware/harbor/issues/3755",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-918",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-08-02 01:15
Modified
2024-08-14 22:15
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "5E90E376-D680-4DB6-90B9-81B7144C287F",
                     versionEndExcluding: "2.9.5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "3BFE92EA-3C83-4C23-BDB3-FDDCAF9A6BA8",
                     versionEndExcluding: "2.10.3",
                     versionStartIncluding: "2.10.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.",
      },
      {
         lang: "es",
         value: " La validación de permisos de usuario incorrecta en Harbor ",
      },
   ],
   id: "CVE-2024-22278",
   lastModified: "2024-08-14T22:15:04.253",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 6.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 2.7,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-08-02T01:15:23.077",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-269",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-Other",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-02-02 21:15
Modified
2024-11-21 05:24
Summary
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D58664D0-96A3-4C90-9977-3D0DE6C416EC",
                     versionEndExcluding: "2.0.5",
                     versionStartIncluding: "2.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6E3CC6E9-54C3-4DC8-96D8-7B28F9A55CD2",
                     versionEndExcluding: "2.1.2",
                     versionStartIncluding: "2.1.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.",
      },
      {
         lang: "es",
         value: "En Harbour versiones 2.0 anteriores a 2.0.5 y versiones 2.1.x anteriores a 2.1.2, la API de registro del catálogo está expuesta en una ruta no autenticada",
      },
   ],
   id: "CVE-2020-29662",
   lastModified: "2024-11-21T05:24:23.270",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-02-02T21:15:13.960",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-319",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-12-26 22:15
Modified
2024-11-21 04:34
Summary
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0D1EA38-68D8-4AAD-BCFD-E3D57E935A73",
                     versionEndExcluding: "1.10.3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "2F8ED53E-A64A-49BE-A24A-CDF37E6D3255",
                     versionEndExcluding: "2.0.1",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.",
      },
      {
         lang: "es",
         value: "Cloud Native Computing Foundation Harbor anterior a 1.10.3 y 2.x anterior a 2.0.1 permite la enumeración de recursos porque las llamadas API no autenticadas revelan (a través del código de estado HTTP) si existe un recurso.",
      },
   ],
   id: "CVE-2019-19030",
   lastModified: "2024-11-21T04:34:01.580",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-12-26T22:15:10.247",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-11-09 01:15
Modified
2024-11-21 07:41
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "225BD7C9-8163-410E-80C3-25FA2DB3E17F",
                     versionEndExcluding: "1.10.17",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "752DA342-ED60-4E9E-BB1B-B73CE61A95FF",
                     versionEndIncluding: "2.6.4",
                     versionStartIncluding: "2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9AB5FC66-7E27-4199-9E68-698F222039F9",
                     versionEndExcluding: "2.7.3",
                     versionStartIncluding: "2.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A2D7140D-E5FB-4A2E-85D2-48BF5AB512C5",
                     versionEndExcluding: "2.8.3",
                     versionStartIncluding: "2.8.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n",
      },
      {
         lang: "es",
         value: "Una condición de sincronización en Harbor 2.6.x y anteriores, Harbor 2.7.2 y anteriores, Harbor 2.8.2 y anteriores y Harbor 1.10.17 y anteriores permite a un atacante con acceso a la red crear trabajos/detener tareas de trabajo y recuperar información de tareas de trabajo. .",
      },
   ],
   id: "CVE-2023-20902",
   lastModified: "2024-11-21T07:41:47.283",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 3.6,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 4.2,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-11-09T01:15:07.660",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-362",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-03-20 03:15
Modified
2024-11-21 04:34
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4E5A15D3-299C-482C-A798-20198E91D47B",
                     versionEndExcluding: "1.8.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0829EA39-6511-45B4-9EB1-88CD2F38703F",
                     versionEndExcluding: "1.9.3",
                     versionStartIncluding: "1.9.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:pivotal:vmware_harbor_registry:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CDDCCD0D-4DA6-4D27-A48A-868FFE4B2561",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.",
      },
      {
         lang: "es",
         value: "Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de grupos de usuarios en el VMware Harbor Container Registry para la Pivotal Platform.",
      },
   ],
   id: "CVE-2019-19029",
   lastModified: "2024-11-21T04:34:01.437",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.2,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-20T03:15:13.373",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19029",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://tanzu.vmware.com/security/cve-2019-19029",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-89",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-01-13 00:15
Modified
2024-11-21 07:30
Summary
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
Impacted products
Vendor Product Version
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "C3E47565-584B-46C0-B78C-5091758B5F8A",
                     versionEndIncluding: "2.5.3",
                     versionStartIncluding: "1.1.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [
      {
         sourceIdentifier: "cve@mitre.org",
         tags: [
            "disputed",
         ],
      },
   ],
   descriptions: [
      {
         lang: "en",
         value: "An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this \"is clearly described in the documentation as a feature.\"",
      },
      {
         lang: "es",
         value: "Un problema de control de acceso en Harbor v1.XX a v2.5.3 permite a los atacantes acceder a repositorios de imágenes públicos y privados sin autenticación. NOTA: la posición del proveedor es que esto \"se describe claramente en la documentación como una característica\".",
      },
   ],
   id: "CVE-2022-46463",
   lastModified: "2024-11-21T07:30:36.537",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-01-13T00:15:09.673",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/Vad1mo",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/lanqingaa/123/blob/main/README.md",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/Vad1mo",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/lanqingaa/123/blob/main/README.md",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-306",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:20
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.  By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14BEA987-A012-4745-A79A-7BCF5E9CD567",
                     versionEndExcluding: "2.4.3",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B643770-6018-4D81-B386-91011E437F0D",
                     versionEndExcluding: "2.5.2",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor fails to validate the user permissions when updating tag immutability policies. \n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn’t have access to, the attacker could\nmodify tag immutability policies configured in other projects.",
      },
      {
         lang: "es",
         value: "Harbor no puede validar los permisos de usuario al actualizar las políticas de inmutabilidad de etiquetas. Al enviar una solicitud para actualizar una política de inmutabilidad de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podría modificar las políticas de inmutabilidad de etiquetas configuradas en otros proyectos.",
      },
   ],
   id: "CVE-2022-31669",
   lastModified: "2024-11-19T15:20:01.913",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 6.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 2.7,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.7,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-14T12:15:16.817",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-863",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-11-14 12:15
Modified
2024-11-19 15:25
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Impacted products
Vendor Product Version
linuxfoundation harbor *
linuxfoundation harbor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14BEA987-A012-4745-A79A-7BCF5E9CD567",
                     versionEndExcluding: "2.4.3",
                     versionStartIncluding: "2.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1B643770-6018-4D81-B386-91011E437F0D",
                     versionEndExcluding: "2.5.2",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.",
      },
      {
         lang: "es",
         value: "Harbor no puede validar los permisos de usuario al actualizar las políticas de precalentamiento P2P. Al enviar una solicitud para actualizar una política de precalentamiento P2P con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podría modificar las políticas de precalentamiento P2P configuradas en otros proyectos.",
      },
   ],
   id: "CVE-2022-31668",
   lastModified: "2024-11-19T15:25:25.797",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 7.4,
               baseSeverity: "HIGH",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 3.7,
            source: "security@vmware.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.7,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-14T12:15:16.607",
   references: [
      {
         source: "security@vmware.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7",
      },
   ],
   sourceIdentifier: "security@vmware.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-285",
            },
         ],
         source: "security@vmware.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-863",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2019-10-18 12:15
Modified
2024-11-21 04:31
Summary
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A78D74C0-A7FA-4F4E-9238-5A31F4C94A4D",
                     versionEndIncluding: "1.8.3",
                     versionStartIncluding: "1.8.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:harbor:1.9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "93DEFD35-079B-47BC-B82A-8C43804660C4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:vmware:cloud_foundation:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "31A7BB38-3238-413E-9736-F1A165D40867",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:vmware:harbor_container_registry:*:*:*:*:*:pivotal_cloud_foundry:*:*",
                     matchCriteriaId: "D927AFA0-8F21-48A5-9A0A-C62CF9AD786F",
                     versionEndIncluding: "1.7.6",
                     versionStartIncluding: "1.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:vmware:harbor_container_registry:*:*:*:*:*:pivotal_cloud_foundry:*:*",
                     matchCriteriaId: "D3848163-C044-4D72-A7DE-FE510C428596",
                     versionEndExcluding: "1.8.4",
                     versionStartIncluding: "1.8.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.",
      },
      {
         lang: "es",
         value: "La API de Harbor  tiene una vulnerabilidad de Control de Acceso Interrumpido. La vulnerabilidad permite a los administradores de proyectos utilizar la API de Harbor para crear una cuenta robot con permisos de acceso no autorizados para presionar y/o arrastrar en un proyecto al que no tienen acceso o control. La API de Harbor aplicó los permisos y el alcance del proyecto apropiados en la petición de API para crear una nueva cuenta robot.",
      },
   ],
   id: "CVE-2019-16919",
   lastModified: "2024-11-21T04:31:20.477",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-10-18T12:15:10.190",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://landscape.cncf.io/selected=harbor",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://landscape.cncf.io/selected=harbor",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-276",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

cve-2019-19030
Vulnerability from cvelistv5
Published
2022-12-26 00:00
Modified
2024-08-05 02:09
Severity ?
Summary
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:09:37.562Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-26T00:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19030",
      datePublished: "2022-12-26T00:00:00",
      dateReserved: "2019-11-17T00:00:00",
      dateUpdated: "2024-08-05T02:09:37.562Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-29662
Vulnerability from cvelistv5
Published
2021-02-02 20:54
Modified
2024-08-04 16:55
Severity ?
Summary
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T16:55:10.728Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-02-02T20:54:33",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-29662",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-38r5-34mr-mvm7",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-29662",
      datePublished: "2021-02-02T20:54:33",
      dateReserved: "2020-12-09T00:00:00",
      dateUpdated: "2024-08-04T16:55:10.728Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31667
Vulnerability from cvelistv5
Published
2024-11-14 11:50
Modified
2024-11-14 14:11
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.  By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-31667",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-14T14:10:48.659302Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-14T14:11:06.110Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1",
                  },
               ],
            },
         ],
         datePublic: "2022-08-30T21:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Harbor fails to validate the user permissions when updating a robot account that&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">belongs to a project that the authenticated user doesn’t have access to.&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">By sending a request that attempts to update a robot account, and specifying a robot&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">account id and robot account name that belongs to a different project that the user&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">doesn’t have access to, it was possible to revoke the robot account permissions.</span>\n\n</span></span></span></span>",
                  },
               ],
               value: "Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. \n\nBy sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 6.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T11:50:48.289Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Harbor fails to validate the user permissions when updating a robot account",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2022-31667",
      datePublished: "2024-11-14T11:50:48.289Z",
      dateReserved: "2022-05-25T23:31:47.418Z",
      dateUpdated: "2024-11-14T14:11:06.110Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31671
Vulnerability from cvelistv5
Published
2024-11-14 11:42
Modified
2024-11-14 14:10
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-31671",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-14T14:10:09.378741Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-14T14:10:27.403Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1",
                  },
               ],
            },
         ],
         datePublic: "2022-08-30T21:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;could read all the job logs stored in the Harbor database.</span>\n\n</span>",
                  },
               ],
               value: "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T11:42:22.373Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw",
            },
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Harbor fails to validate the user permissions when reading and updating job execution logs through the P2P preheat execution logs",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2022-31671",
      datePublished: "2024-11-14T11:42:22.373Z",
      dateReserved: "2022-05-25T23:31:47.419Z",
      dateUpdated: "2024-11-14T14:10:27.403Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-19023
Vulnerability from cvelistv5
Published
2020-03-20 02:22
Modified
2024-08-05 02:02
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:02:39.917Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://tanzu.vmware.com/security/cve-2019-19023",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-03-20T02:22:41",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://tanzu.vmware.com/security/cve-2019-19023",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-19023",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories",
                  },
                  {
                     name: "https://tanzu.vmware.com/security/cve-2019-19023",
                     refsource: "CONFIRM",
                     url: "https://tanzu.vmware.com/security/cve-2019-19023",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19023",
      datePublished: "2020-03-20T02:22:41",
      dateReserved: "2019-11-17T00:00:00",
      dateUpdated: "2024-08-05T02:02:39.917Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-19026
Vulnerability from cvelistv5
Published
2020-03-20 02:01
Modified
2024-08-05 02:02
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:02:40.127Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://tanzu.vmware.com/security/cve-2019-19026",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-03-20T02:01:48",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://tanzu.vmware.com/security/cve-2019-19026",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-19026",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories",
                  },
                  {
                     name: "https://tanzu.vmware.com/security/cve-2019-19026",
                     refsource: "CONFIRM",
                     url: "https://tanzu.vmware.com/security/cve-2019-19026",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19026",
      datePublished: "2020-03-20T02:01:55",
      dateReserved: "2019-11-17T00:00:00",
      dateUpdated: "2024-08-05T02:02:40.127Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-3990
Vulnerability from cvelistv5
Published
2019-12-03 16:55
Modified
2024-08-04 19:26
Severity ?
Summary
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor versions 1.9.1 and prior
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T19:26:27.642Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.tenable.com/security/research/tra-2019-50",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor versions 1.9.1 and prior",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "User Enumeration",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-12-03T16:55:15",
            orgId: "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            shortName: "tenable",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.tenable.com/security/research/tra-2019-50",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "vulnreport@tenable.com",
               ID: "CVE-2019-3990",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Harbor",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "Harbor versions 1.9.1 and prior",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "User Enumeration",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.tenable.com/security/research/tra-2019-50",
                     refsource: "MISC",
                     url: "https://www.tenable.com/security/research/tra-2019-50",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
                     refsource: "CONFIRM",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
      assignerShortName: "tenable",
      cveId: "CVE-2019-3990",
      datePublished: "2019-12-03T16:55:15",
      dateReserved: "2019-01-03T00:00:00",
      dateUpdated: "2024-08-04T19:26:27.642Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31668
Vulnerability from cvelistv5
Published
2024-11-14 11:56
Modified
2024-11-14 19:33
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-31668",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-14T18:53:45.416941Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-14T19:33:24.795Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1",
                  },
               ],
            },
         ],
         datePublic: "2022-08-30T21:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">Harbor fails to validate the user permissions when updating p2p preheat policies.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.</span>\n\n</span>",
                  },
               ],
               value: "Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T11:56:31.043Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "User permission validation failure and disclosure of P2P preheat execution logs",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2022-31668",
      datePublished: "2024-11-14T11:56:31.043Z",
      dateReserved: "2022-05-25T23:31:47.418Z",
      dateUpdated: "2024-11-14T19:33:24.795Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-13794
Vulnerability from cvelistv5
Published
2020-09-29 20:17
Modified
2024-08-04 12:25
Severity ?
Summary
Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T12:25:16.567Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/releases",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.cybereagle.io/blog/cve-2020-13794/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-09-30T18:45:07",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/releases",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.cybereagle.io/blog/cve-2020-13794/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-13794",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/releases",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/releases",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432",
                  },
                  {
                     name: "https://www.cybereagle.io/blog/cve-2020-13794/",
                     refsource: "MISC",
                     url: "https://www.cybereagle.io/blog/cve-2020-13794/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-13794",
      datePublished: "2020-09-29T20:17:10",
      dateReserved: "2020-06-03T00:00:00",
      dateUpdated: "2024-08-04T12:25:16.567Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-16919
Vulnerability from cvelistv5
Published
2019-10-18 11:59
Modified
2024-08-05 01:24
Severity ?
Summary
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T01:24:48.630Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://landscape.cncf.io/selected=harbor",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-10-18T12:00:13",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://landscape.cncf.io/selected=harbor",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-16919",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://landscape.cncf.io/selected=harbor",
                     refsource: "MISC",
                     url: "https://landscape.cncf.io/selected=harbor",
                  },
                  {
                     name: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
                     refsource: "CONFIRM",
                     url: "http://www.vmware.com/security/advisories/VMSA-2019-0016.html",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-16919",
      datePublished: "2019-10-18T11:59:57",
      dateReserved: "2019-09-26T00:00:00",
      dateUpdated: "2024-08-05T01:24:48.630Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31670
Vulnerability from cvelistv5
Published
2024-11-14 11:45
Modified
2024-11-14 14:09
Summary
Harbor fails to validate the user permissions when updating tag retention policies.  By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-31670",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-14T14:09:30.950454Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-14T14:09:48.571Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1",
                  },
               ],
            },
         ],
         datePublic: "2022-08-30T21:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Harbor fails to validate the user permissions when updating tag retention policies.&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">By sending a request to update a tag retention policy with an id that belongs to a project&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">that the currently authenticated user doesn’t have access to, the attacker could modify</span><br><span style=\"background-color: rgb(255, 255, 255);\">tag retention policies configured in other projects.</span>\n\n</span></span>",
                  },
               ],
               value: "Harbor fails to validate the user permissions when updating tag retention policies. \n\nBy sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify\ntag retention policies configured in other projects.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T11:45:22.257Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Harbor fails to validate the user permissions when updating tag retention policies",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2022-31670",
      datePublished: "2024-11-14T11:45:22.257Z",
      dateReserved: "2022-05-25T23:31:47.419Z",
      dateUpdated: "2024-11-14T14:09:48.571Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-16097
Vulnerability from cvelistv5
Published
2019-09-08 15:22
Modified
2024-08-05 01:03
Severity ?
Summary
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T01:03:32.654Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-09-24T17:06:10",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
            },
         ],
         source: {
            discovery: "INTERNAL",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-16097",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1",
                  },
                  {
                     name: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
                     refsource: "MISC",
                     url: "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/releases/tag/v1.8.3",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/releases/tag/v1.7.6",
                  },
                  {
                     name: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
                     refsource: "CONFIRM",
                     url: "http://www.vmware.com/security/advisories/VMSA-2019-0015.html",
                  },
               ],
            },
            source: {
               discovery: "INTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-16097",
      datePublished: "2019-09-08T15:22:49",
      dateReserved: "2019-09-08T00:00:00",
      dateUpdated: "2024-08-05T01:03:32.654Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2017-17697
Vulnerability from cvelistv5
Published
2017-12-15 09:00
Modified
2024-08-05 20:59
Severity ?
Summary
The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
References
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T20:59:17.365Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/vmware/harbor/issues/3755",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2017-12-15T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-12-15T09:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/vmware/harbor/issues/3755",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2017-17697",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/vmware/harbor/issues/3755",
                     refsource: "MISC",
                     url: "https://github.com/vmware/harbor/issues/3755",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2017-17697",
      datePublished: "2017-12-15T09:00:00",
      dateReserved: "2017-12-15T00:00:00",
      dateUpdated: "2024-08-05T20:59:17.365Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-19025
Vulnerability from cvelistv5
Published
2020-03-20 02:01
Modified
2024-08-05 02:02
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:02:39.868Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://tanzu.vmware.com/security/cve-2019-19025",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-03-20T02:01:41",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://tanzu.vmware.com/security/cve-2019-19025",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-19025",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories",
                  },
                  {
                     name: "https://tanzu.vmware.com/security/cve-2019-19025",
                     refsource: "CONFIRM",
                     url: "https://tanzu.vmware.com/security/cve-2019-19025",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19025",
      datePublished: "2020-03-20T02:01:41",
      dateReserved: "2019-11-17T00:00:00",
      dateUpdated: "2024-08-05T02:02:39.868Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-31669
Vulnerability from cvelistv5
Published
2024-11-14 11:48
Modified
2024-11-15 17:30
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.  By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects.
Impacted products
Vendor Product Version
n/a Harbor Version: Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-31669",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-15T17:30:12.401196Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-15T17:30:33.229Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Harbor",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1",
                  },
               ],
            },
         ],
         datePublic: "2022-08-30T21:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Harbor fails to validate the user permissions when updating tag immutability policies.&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">By sending a request to update a tag immutability policy with an id that belongs to a</span><br><span style=\"background-color: rgb(255, 255, 255);\">project that the currently authenticated user doesn’t have access to, the attacker could</span><br><span style=\"background-color: rgb(255, 255, 255);\">modify tag immutability policies configured in other projects.</span>\n\n</span></span></span>",
                  },
               ],
               value: "Harbor fails to validate the user permissions when updating tag immutability policies. \n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn’t have access to, the attacker could\nmodify tag immutability policies configured in other projects.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 6.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-285",
                     description: "CWE-285",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T11:48:03.444Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Harbor fails to validate the user permissions when updating tag immutability policies",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2022-31669",
      datePublished: "2024-11-14T11:48:03.444Z",
      dateReserved: "2022-05-25T23:31:47.418Z",
      dateUpdated: "2024-11-15T17:30:33.229Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-22278
Vulnerability from cvelistv5
Published
2024-08-02 00:59
Modified
2024-08-14 21:35
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Impacted products
Vendor Product Version
harbor harbor Version: 2.9.4   < <v2.9.5
Version: 2.10.2   < <v2.10.3
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-22278",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-02T16:14:46.125656Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-08-02T16:15:02.950Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "harbor",
               vendor: "harbor",
               versions: [
                  {
                     lessThan: "<v2.9.5",
                     status: "affected",
                     version: "2.9.4",
                     versionType: "custom",
                  },
                  {
                     lessThan: "<v2.10.3",
                     status: "affected",
                     version: "2.10.2",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Incorrect user permission validation in Harbor &lt;v2.9.5 and Harbor &lt;v2.10.3 allows authenticated users to modify configurations.",
                  },
               ],
               value: "Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.",
            },
         ],
         impacts: [
            {
               capecId: "CAPEC-176",
               descriptions: [
                  {
                     lang: "en",
                     value: "CAPEC-176 Configuration/Environment Manipulation",
                  },
               ],
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 6.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-269",
                     description: "CWE-269 Improper Privilege Management",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-08-14T21:35:37.751Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Harbor fails to validate the user permissions when updating project configurations",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2024-22278",
      datePublished: "2024-08-02T00:59:55.313Z",
      dateReserved: "2024-01-08T18:43:18.959Z",
      dateUpdated: "2024-08-14T21:35:37.751Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-46463
Vulnerability from cvelistv5
Published
2023-01-12 00:00
Modified
2024-08-03 14:31
Severity ?
Summary
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T14:31:46.444Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/lanqingaa/123/blob/main/README.md",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/Vad1mo",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this \"is clearly described in the documentation as a feature.\"",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-01-18T00:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://github.com/lanqingaa/123/blob/main/README.md",
            },
            {
               url: "https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d",
            },
            {
               url: "https://github.com/Vad1mo",
            },
         ],
         tags: [
            "disputed",
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2022-46463",
      datePublished: "2023-01-12T00:00:00",
      dateReserved: "2022-12-05T00:00:00",
      dateUpdated: "2024-08-03T14:31:46.444Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-19029
Vulnerability from cvelistv5
Published
2020-03-20 02:02
Modified
2024-08-05 02:09
Severity ?
Summary
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:09:37.543Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://tanzu.vmware.com/security/cve-2019-19029",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-03-20T02:02:28",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://tanzu.vmware.com/security/cve-2019-19029",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-19029",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories",
                  },
                  {
                     name: "https://tanzu.vmware.com/security/cve-2019-19029",
                     refsource: "CONFIRM",
                     url: "https://tanzu.vmware.com/security/cve-2019-19029",
                  },
                  {
                     name: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19029",
      datePublished: "2020-03-20T02:02:28",
      dateReserved: "2019-11-17T00:00:00",
      dateUpdated: "2024-08-05T02:09:37.543Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-13788
Vulnerability from cvelistv5
Published
2020-07-15 20:04
Modified
2024-08-04 12:25
Severity ?
Summary
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T12:25:16.547Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/releases",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-07-15T20:04:57",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/goharbor/harbor/releases",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-13788",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/goharbor/harbor/releases",
                     refsource: "MISC",
                     url: "https://github.com/goharbor/harbor/releases",
                  },
                  {
                     name: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
                     refsource: "CONFIRM",
                     url: "https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788",
                  },
                  {
                     name: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
                     refsource: "MISC",
                     url: "https://www.youtube.com/watch?v=v8Isqy4yR3Q",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-13788",
      datePublished: "2020-07-15T20:04:57",
      dateReserved: "2020-06-03T00:00:00",
      dateUpdated: "2024-08-04T12:25:16.547Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-20902
Vulnerability from cvelistv5
Published
2023-11-09 00:36
Modified
2024-09-04 13:18
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
Impacted products
Vendor Product Version
Harbor Project Version: <=Harbor 2.6.x, <=Harbor 2.7.2, <=Harbor 2.8.2, <=Harbor 1.10.17
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T09:21:33.417Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-20902",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-04T13:11:13.739344Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-04T13:18:17.730Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Project",
               vendor: "Harbor",
               versions: [
                  {
                     status: "affected",
                     version: "<=Harbor 2.6.x, <=Harbor 2.7.2, <=Harbor 2.8.2, <=Harbor 1.10.17",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Thanks to Porcupiney Hairs for reporting this issue.",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<div>A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,&nbsp; Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to <br>create jobs/stop job tasks and retrieve job task information.<br></div>",
                  },
               ],
               value: "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-11-09T00:36:25.369Z",
            orgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            shortName: "vmware",
         },
         references: [
            {
               url: "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Timing attack risk in Harbor",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "dcf2e128-44bd-42ed-91e8-88f912c1401d",
      assignerShortName: "vmware",
      cveId: "CVE-2023-20902",
      datePublished: "2023-11-09T00:36:25.369Z",
      dateReserved: "2022-11-01T15:41:50.396Z",
      dateUpdated: "2024-09-04T13:18:17.730Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}