CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19029
https://notcve.org/view.php?id=CVE-2019-19029
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de grupos de usuarios en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w https://tanzu.vmware.com/security/cve-2019-19029 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19026
https://notcve.org/view.php?id=CVE-2019-19026
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de cuotas de proyecto en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64 https://tanzu.vmware.com/security/cve-2019-19026 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19025
https://notcve.org/view.php?id=CVE-2019-19025
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite un ataque de tipo CSRF en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 https://tanzu.vmware.com/security/cve-2019-19025 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-3990
https://notcve.org/view.php?id=CVE-2019-3990
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality. Se presenta un fallo de Enumeración de Usuarios en Harbor. • https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg https://www.tenable.com/security/research/tra-2019-50 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 96%CPEs: 16EXPL: 4CVE-2019-16097
https://notcve.org/view.php?id=CVE-2019-16097
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP. core/api/user.go en Harbor versión 1.7.0 hasta la versión 1.8.2 permite a los usuarios que no son administradores crear cuentas de administrador mediante el POST /api/users API, cuando Harbor se configura con DB como back-end de autenticación y permite al usuario realizar el autorregistro. Esto se corrige en la versión 1.7.6, versión 1.8.3. versión 1.9.0. Solución alternativa sin aplicar la corrección: configure Harbor para que utilice el backend de autenticación que no sea de base de datos, como LDAP. • https://github.com/evilAdan0s/CVE-2019-16097 https://github.com/rockmelodies/CVE-2019-16097-batch https://github.com/ianxtianxt/CVE-2019-16097 https://github.com/luckybool1020/CVE-2019-16097 http://www.vmware.com/security/advisories/VMSA-2019-0015.html https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517 https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1 https://github.com/goharbor/harbor/releases/tag/v1.7.6 https://github.com/goharbor/ha • CWE-862: Missing Authorization •