Vulnerability identifier: #VU26379
Vulnerability risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
VMware Harbor Container Registry for PCF
Server applications /
Virtualization software
Vendor: Pivotal
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the Harbor API does not enforce the proper permissions and scope on the API request to modify the email address. A remote authenticated attacker can make an API call to modify the email address of a specific user, reset the password for that email address and gain access to that account.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
VMware Harbor Container Registry for PCF: All versions
External links
http://github.com/goharbor/harbor/security/advisories
http://tanzu.vmware.com/security/cve-2019-19023
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.