Unit 42 researcher Aviv Sasson identified a critical vulnerability that could be exploited to allow attackers to take over Harbor registries by sending malicious requests.
The privilege escalation vulnerability was uncovered when researching the Harbor project by the Cloud Native Computing Foundation projects (CNCF).
"Harbor is an open source cloud native registry that stores, signs, and scans container images for vulnerabilities" (goharbor.io, 2019). It integrates with Docker Hub, Docker Registry, Google Container Registry, and other registries.
The illustration below shows users and partners of Harbor.
The vulnerability, tracked as CVE-2019-16097, was said to impact versions 1.7.0 through 1.8.2. It allows non-admin users to create admin accounts via the POST /api/users API simply by adding “has_admin_role” = “True" to a request payload.
The problem is serious! A performed scan showed that from the 2,500 online Harbors, 1,300 were found vulnerable!
A patch has been included in versions 1.7.6 and 1.8.3 and was released on September 18, 2019. It includes a check that prevents non-admin users from creating a new admin user. All users are recommended to update their Harbor installations as soon as possible because this vulnerability is critical and gives anyone full access to their registry.
Read more about this Critical Vulnerability in Harbor on the Unit42 blog.
See also: Disallow creating an admin user when registration #8917
-Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 5 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes | |
| 1 Like |
