Описание
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
Ссылки
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:linuxfoundation:harbor:1.7.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:-:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc1:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.8.2:rc2:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*
EPSS
Процентиль: 100%
0.92614
Критический
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
Связанные уязвимости
EPSS
Процентиль: 100%
0.92614
Критический
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862