CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2023-20902 – Timing attack risk in Harbor
https://notcve.org/view.php?id=CVE-2023-20902
09 Nov 2023 — A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information. Una condición de sincronización en Harbor 2.6.x y anteriores, Harbor 2.7.2 y anteriores, Harbor 2.8.2 y anteriores y Harbor 1.10.17 y anteriores permite a un atacante con acceso a la red crear trabajos/detener tareas de trabajo y recuperar información de tareas de trabajo. . • https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 91%CPEs: 1EXPL: 3CVE-2022-46463
https://notcve.org/view.php?id=CVE-2022-46463
12 Jan 2023 — An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature." Un problema de control de acceso en Harbor v1.XX a v2.5.3 permite a los atacantes acceder a repositorios de imágenes públicos y privados sin autenticación. NOTA: la posición del proveedor es que esto "se describe claramente en la documentación como una característica". • https://github.com/nu0l/CVE-2022-46463 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 37%CPEs: 2EXPL: 2CVE-2019-19030
https://notcve.org/view.php?id=CVE-2019-19030
26 Dec 2022 — Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. Cloud Native Computing Foundation Harbor anterior a 1.10.3 y 2.x anterior a 2.0.1 permite la enumeración de recursos porque las llamadas API no autenticadas revelan (a través del código de estado HTTP) si existe un recurso. • https://github.com/shodanwashere/boatcrash •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2020-13788
https://notcve.org/view.php?id=CVE-2020-13788
15 Jul 2020 — Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet. Harbor versiones anteriores a 2.0.1, permite un ataque de tipo SSRF con esta limitación: un atacante con la capacidad de editar proyectos puede escanear puertos de hosts accesibles en la intranet del servidor Harbor • https://github.com/goharbor/harbor/releases • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19023
https://notcve.org/view.php?id=CVE-2019-19023
20 Mar 2020 — Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, presenta una Vulnerabilidad de Escalada de Privilegios en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories •
CVSS: 7.2EPSS: 1%CPEs: 3EXPL: 0CVE-2019-19029
https://notcve.org/view.php?id=CVE-2019-19029
20 Mar 2020 — Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de grupos de usuarios en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19026
https://notcve.org/view.php?id=CVE-2019-19026
20 Mar 2020 — Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite una inyección SQL por medio de cuotas de proyecto en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2019-19025
https://notcve.org/view.php?id=CVE-2019-19025
20 Mar 2020 — Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. Cloud Native Computing Foundation Harbor versiones anteriores a 1.8.6 y 1.9.3, permite un ataque de tipo CSRF en el VMware Harbor Container Registry para la Pivotal Platform. • https://github.com/goharbor/harbor/security/advisories • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2019-3990
https://notcve.org/view.php?id=CVE-2019-3990
03 Dec 2019 — A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality. Se presenta un fallo de Enumeración de Usuarios en Harbor. • https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-16919
https://notcve.org/view.php?id=CVE-2019-16919
18 Oct 2019 — Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. La API de Harbor tiene una vulnerabilidad de Control de Acceso Interrumpido. La vulnerabilidad permite a los administradores d... • http://www.vmware.com/security/advisories/VMSA-2019-0016.html • CWE-276: Incorrect Default Permissions •