Support Content Notification - Support Portal

CVE-2019-19029: SQL Injection via user-groups in VMware Harbor Container Registry for Pivotal Platform

Product/Component

Notification Id

23867

Last Updated

04 December 2019

Initial Publication Date

04 December 2019

Status

CLOSED

Severity

HIGH

CVSS Base Score

WorkAround

Affected CVE

CVE-2019-19029

Severity

High

Vendor

Pivotal

Description

It was discovered that in VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3

Mitigation

VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3

Credit

This issue was responsibly reported by Cure53.

References

https://github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469w
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19029

History

2019-12-04: Initial vulnerability report published.