Vulnerability identifier: #VU26379

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19023

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VMware Harbor Container Registry for PCF
Server applications / Virtualization software

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the Harbor API does not enforce the proper permissions and scope on the API request to modify the email address. A remote authenticated attacker can make an API call to modify the email address of a specific user, reset the password for that email address and gain access to that account.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VMware Harbor Container Registry for PCF: All versions

---

External links
http://github.com/goharbor/harbor/security/advisories
http://tanzu.vmware.com/security/cve-2019-19023

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.