CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-16919
https://notcve.org/view.php?id=CVE-2019-16919
Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. La API de Harbor tiene una vulnerabilidad de Control de Acceso Interrumpido. La vulnerabilidad permite a los administradores de proyectos utilizar la API de Harbor para crear una cuenta robot con permisos de acceso no autorizados para presionar y/o arrastrar en un proyecto al que no tienen acceso o control. • http://www.vmware.com/security/advisories/VMSA-2019-0016.html https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624 https://landscape.cncf.io/selected=harbor • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 1CVE-2019-16884 – runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
https://notcve.org/view.php?id=CVE-2019-16884
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. runc versiones hasta 1.0.0-rc8, como es usado en Docker versiones hasta 19.03.2-ce y otros productos, permite omitir la restricción de AppArmor porque el archivo libcontainer/rootfs_linux.go comprueba incorrectamente los destinos de montaje y, por lo tanto, una imagen Docker maliciosa puede ser montada sobre un directorio /proc . • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html https://access.redhat.com/errata/RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4269 https://github.com/opencontainers/runc/issues/2128 https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html https: • CWE-41: Improper Resolution of Path Equivalence CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 96%CPEs: 16EXPL: 4CVE-2019-16097
https://notcve.org/view.php?id=CVE-2019-16097
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP. core/api/user.go en Harbor versión 1.7.0 hasta la versión 1.8.2 permite a los usuarios que no son administradores crear cuentas de administrador mediante el POST /api/users API, cuando Harbor se configura con DB como back-end de autenticación y permite al usuario realizar el autorregistro. Esto se corrige en la versión 1.7.6, versión 1.8.3. versión 1.9.0. Solución alternativa sin aplicar la corrección: configure Harbor para que utilice el backend de autenticación que no sea de base de datos, como LDAP. • https://github.com/evilAdan0s/CVE-2019-16097 https://github.com/rockmelodies/CVE-2019-16097-batch https://github.com/ianxtianxt/CVE-2019-16097 https://github.com/luckybool1020/CVE-2019-16097 http://www.vmware.com/security/advisories/VMSA-2019-0015.html https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517 https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1 https://github.com/goharbor/harbor/releases/tag/v1.7.6 https://github.com/goharbor/ha • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010234
https://notcve.org/view.php?id=CVE-2019-1010234
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: network connectivity. Linux Foundation ONOS versión 1.15.0 y versiones anteriores se ven afectadas por: Validación de entrada incorrecta. • https://drive.google.com/file/d/1OkMtrMgjjINsDUQwxpGxjbATB6hiwqyv/view?usp=sharing • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010245
https://notcve.org/view.php?id=CVE-2019-1010245
The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is affected by: Improper Input Validation. The impact is: A remote attacker can execute arbitrary commands on the controller. The component is: apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java. The attack vector is: network connectivity. The fixed version is: 1.15. • https://drive.google.com/open?id=1OkMtrMgjjINsDUQwxpGxjbATB6hiwqyv https://gerrit.onosproject.org/#/c/20767 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •