CVE-2019-19025: Cross-Site Request Forgery Vulnerability in VMware Harbor Container Registry for Pivotal Platform
23824
04 December 2019
04 December 2019
CLOSED
CRITICAL
CVE-2019-19025
Severity
Critical
Vendor
Pivotal
Description
It was discovered that in VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3
Mitigation
- VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3
Credit
This issue was responsibly reported by Cure53.
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19025
History
2019-12-04: Initial vulnerability report published.