HTTP: Harbor Project Harbor user API Privilege Escalation

This signature detects attempts to exploit a known vulnerability against Harbor. A successful attack can lead to elevation of privilege and arbitrary code execution.

Extended Description

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Affected Products

Linuxfoundation harbor

References

CVE: CVE-2019-16097

Short Name
HTTP:CTS:HARBOR-PROJECT-PE
Severity
Minor
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
API CVE-2019-16097 Escalation Harbor Privilege Project user
Release Date
11/14/2019
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3693
False Positive
Unknown
Vendors

Linuxfoundation

CVSS Score

4.0

Found a potential security threat?