Published: 08/09/2019 Updated: 24/08/2020

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 358

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

core/api/user.go in Harbor 1.7.0 up to and including 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linuxfoundation harbor 1.7.0
linuxfoundation harbor 1.8.2
linuxfoundation harbor 1.9.0
linuxfoundation harbor 1.7.1
linuxfoundation harbor 1.8.0
linuxfoundation harbor 1.7.3
linuxfoundation harbor 1.7.4
linuxfoundation harbor 1.7.5
linuxfoundation harbor 1.7.2
linuxfoundation harbor 1.8.1

CVE-2019-16097 PoC

CVE-2019-16097 本程序只供安全研究使用，请勿用作非法！漏洞危害可导致攻击者创建管理员账户，从而上传恶意镜像，导致使用该仓库的客户端被感染漏洞组件 Harbor 影响版本 170-182 修复建议尽快升级至176或183

Harbor 未授权创建管理员漏洞原理 docker及poc[基于pocsuite框架]

CVE-2019-16097 Harbor 未授权创建管理员漏洞原理 docker及poc[基于pocsuite框架]

cve-2019-1609

cve-2019-16097 1在urlstxt中添加你要检测的url 2python3环境下运行cve-2019-16097脚本 python3 cve-2019-16097py 3批量检测完成后再results中查看成功写入账号的url。

Ary 是一个集成类工具，主要用于调用各种安全工具，从而形成便捷的一键式渗透。

Ary Ary 是一个集成类工具，主要用于调用各种安全工具，从而形成便捷的一键式渗透。版本：211 公开版作者： Ali0th 联系： martin2877@foxmailcom 主页： githubcom/Martin2877 声明：本工具仅供学习、测试使用，严禁用于非法用途，开发者对使用者的违法行为不负责任。交流：欢迎提issue，�

CVE-2019-16097-batch 免责声明只做安全研究使用，不得做非法测试，后果自行承担！！！ CVE-2019-16097-batch 批量漏洞利用脚本在 urltxt文件批量添加目标地址 1111 2222 使用python 运行此脚本在 resulttxt 可以看到最终的验证结果漏洞背景近日，镜像仓库Harbor爆出任意管理员注册�

CVE-2019-16097-batch

CVE-2019-16097-batch 免责声明只做安全研究使用，不得做非法测试，后果自行承担！！！ CVE-2019-16097-batch 批量漏洞利用脚本在 urltxt文件批量添加目标地址 1111 2222 使用python 运行此脚本在 resulttxt 可以看到最终的验证结果漏洞背景近日，镜像仓库Harbor爆出任意管理员注册�

If you're using Harbor as your container registry, bear in mind it can be hijacked with has_admin_role = True

The Register • Shaun Nichols in San Francisco • 19 Sep 2019

Patch now before miscreants sail off with your apps, data

Video IT departments using the Harbor container registry will want to update the software ASAP, following Thursday's disclosure of a bug that can be exploited by users to gain administrator privileges. Aviv Sasson, of Palo Alto Networks' Unit 42 security team, found that under its default settings, Harbor accepts an API call that can, inadvertently, elevate a normal user's permissions. If you can reach a vulnerable Harbor installation's web interface, you can potentially pwn it. Seeing as Harbor...

CVE-2019-16097

Vulnerability Summary

Vulnerability Trend

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect