Severity High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2019-19029
CVE-2019-19026
CVE-2019-19023
CVE-2019-19025
CWE ID CWE-89
CWE-264
CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
VMware Harbor Container Registry for PCF

Server applications /
Virtualization software
Vendor Pivotal

Security Advisory

3) Permissions, Privileges, and Access Controls

Severity: High

CVSSv3:
7.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID:
CVE-2019-19023

CWE-ID:
CWE-264 – Permissions, Privileges, and Access Controls

Exploit availability:
No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the Harbor API does not enforce the proper permissions and scope on the API request to modify the email address. A remote authenticated attacker can make an API call to modify the email address of a specific user, reset the password for that email address and gain access to that account.

Mitigation

Install updates from vendor’s website.

Vulnerable software versions

VMware Harbor Container Registry for PCF:

CPE
External links

https://github.com/goharbor/harbor/security/advisories
https://tanzu.vmware.com/security/cve-2019-19023

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.





Source link

Write a comment:
*

Your email address will not be published.