core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
2019-09-08T16:15:11.820
2024-11-21T04:30:01.773
Modified
CVSSv3.1: 6.5 (MEDIUM)
AV:N/AC:L/Au:S/C:N/I:P/A:N
8.0
2.9
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | linuxfoundation | harbor | 1.7.0 | Yes |
Application | linuxfoundation | harbor | 1.7.0 | Yes |
Application | linuxfoundation | harbor | 1.7.0 | Yes |
Application | linuxfoundation | harbor | 1.7.1 | Yes |
Application | linuxfoundation | harbor | 1.7.2 | Yes |
Application | linuxfoundation | harbor | 1.7.3 | Yes |
Application | linuxfoundation | harbor | 1.7.4 | Yes |
Application | linuxfoundation | harbor | 1.7.5 | Yes |
Application | linuxfoundation | harbor | 1.8.0 | Yes |
Application | linuxfoundation | harbor | 1.8.0 | Yes |
Application | linuxfoundation | harbor | 1.8.0 | Yes |
Application | linuxfoundation | harbor | 1.8.1 | Yes |
Application | linuxfoundation | harbor | 1.8.2 | Yes |
Application | linuxfoundation | harbor | 1.8.2 | Yes |
Application | linuxfoundation | harbor | 1.8.2 | Yes |
Application | linuxfoundation | harbor | 1.9.0 | Yes |