CVE-2019-16097 PoC
CVE-2019-16097 本程序只供安全研究使用,请勿用作非法! 漏洞危害 可导致攻击者创建管理员账户,从而上传恶意镜像,导致使用该仓库的客户端被感染 漏洞组件 Harbor 影响版本 170-182 修复建议 尽快升级至176或183
core/api/user.go in Harbor 1.7.0 up to and including 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
linuxfoundation harbor 1.7.0 |
||
linuxfoundation harbor 1.8.2 |
||
linuxfoundation harbor 1.9.0 |
||
linuxfoundation harbor 1.7.1 |
||
linuxfoundation harbor 1.8.0 |
||
linuxfoundation harbor 1.7.3 |
||
linuxfoundation harbor 1.7.4 |
||
linuxfoundation harbor 1.7.5 |
||
linuxfoundation harbor 1.7.2 |
||
linuxfoundation harbor 1.8.1 |
Patch now before miscreants sail off with your apps, data
Video IT departments using the Harbor container registry will want to update the software ASAP, following Thursday's disclosure of a bug that can be exploited by users to gain administrator privileges. Aviv Sasson, of Palo Alto Networks' Unit 42 security team, found that under its default settings, Harbor accepts an API call that can, inadvertently, elevate a normal user's permissions. If you can reach a vulnerable Harbor installation's web interface, you can potentially pwn it. Seeing as Harbor...