CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19029
https://notcve.org/view.php?id=CVE-2019-19029
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de grupos de usuarios en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w https://tanzu.vmware.com/security/cve-2019-19029 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19026
https://notcve.org/view.php?id=CVE-2019-19026
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de cuotas de proyecto en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64 https://tanzu.vmware.com/security/cve-2019-19026 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19025
https://notcve.org/view.php?id=CVE-2019-19025
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite un ataque de tipo CSRF en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 https://tanzu.vmware.com/security/cve-2019-19025 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-3990
https://notcve.org/view.php?id=CVE-2019-3990
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality. Se presenta un fallo de Enumeración de Usuarios en Harbor. • https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg https://www.tenable.com/security/research/tra-2019-50 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-16919
https://notcve.org/view.php?id=CVE-2019-16919
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. La API de Harbor tiene una vulnerabilidad de Control de Acceso Interrumpido. La vulnerabilidad permite a los administradores de proyectos utilizar la API de Harbor para crear una cuenta robot con permisos de acceso no autorizados para presionar y/o arrastrar en un proyecto al que no tienen acceso o control. • http://www.vmware.com/security/advisories/VMSA-2019-0016.html https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 https://landscape.cncf.io/selected=harbor • CWE-276: Incorrect Default Permissions •