{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.7.0-NA" }, { "introduced": "0" }, { "last_affected": "1.7.0-rc1" }, { "introduced": "0" }, { "last_affected": "1.7.0-rc2" }, { "introduced": "0" }, { "last_affected": "1.7.1" }, { "introduced": "0" }, { "last_affected": "1.7.2" }, { "introduced": "0" }, { "last_affected": "1.7.3" }, { "introduced": "0" }, { "last_affected": "1.7.4" }, { "introduced": "0" }, { "last_affected": "1.7.5" }, { "introduced": "0" }, { "last_affected": "1.8.0-NA" }, { "introduced": "0" }, { "last_affected": "1.8.0-rc1" }, { "introduced": "0" }, { "last_affected": "1.8.0-rc2" }, { "introduced": "0" }, { "last_affected": "1.8.1" }, { "introduced": "0" }, { "last_affected": "1.8.2-NA" }, { "introduced": "0" }, { "last_affected": "1.8.2-rc1" }, { "introduced": "0" }, { "last_affected": "1.8.2-rc2" }, { "introduced": "0" }, { "last_affected": "1.9.0-rc1" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "8017a20e0c04a66367d71d6a9ea80c8430ee51ef" }, { "introduced": "0" }, { "last_affected": "bcd6947fcc76ede0893c9885b1945ead7bfc6866" }, { "introduced": "0" }, { "last_affected": "3b3311b4f3aa78d75af3a7f230d5a53ec47d775a" }, { "introduced": "0" }, { "last_affected": "c380652540cb8061cff50f0ce2115fc6d217019b" }, { "introduced": "0" }, { "last_affected": "98ab7f5644d691c34824d790697a8c240f3aaf8d" }, { "introduced": "0" }, { "last_affected": "46882f220d49b7492fb37f69fc7f996a3dc57864" }, { "introduced": "0" }, { "last_affected": "ce6a623748a74f3a779749a355327bb2e80f3ff8" }, { "introduced": "0" }, { "last_affected": "a8f6543ac3a21327745f0990df0e13910fbe579b" }, { "introduced": "0" }, { "last_affected": "9b073a1941df311f30911b59751280e68158550d" }, { "introduced": "0" }, { "last_affected": "34f02189d72e72ebb5871265b5554d1c0c25bb5e" }, { "introduced": "0" }, { "last_affected": "25bb24cacbad985246dffbdb883d4bfecaf6aa52" }, { "introduced": "0" }, { "last_affected": "16b59c41cdbe56fdd6a61e6794621885198edebe" }, { "introduced": "0" }, { "last_affected": "1c3a3d532f6f315ed2f948631c9e0498e15e715a" }, { "introduced": "0" }, { "last_affected": "ddc119a1547098e978b226420c7b45f5bfd691e8" }, { "introduced": "0" }, { "last_affected": "1c3a3d532f6f315ed2f948631c9e0498e15e715a" }, { "introduced": "0" }, { "last_affected": "3ab5d5f0e55d905f5651ccc6c08ada719c26eb90" }, { "fixed": "b6db8a8a106259ec9a2c48be8a380cb3b37cf517" }, { "fixed": "afb558e7bcab81e98e56036f1e493cb5a3823a53" }, { "fixed": "220e3dee88b561bd4a4a15bc6d0aaa83d63638b0" } ], "repo": "https://github.com/goharbor/harbor", "type": "GIT" } ] } ], "details": "core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.", "id": "CVE-2019-16097", "modified": "2026-03-15T21:47:00.171652474Z", "published": "2019-09-08T16:15:11.820Z", "references": [ { "type": "ADVISORY", "url": "http://www.vmware.com/security/advisories/VMSA-2019-0015.html" }, { "type": "ADVISORY", "url": "https://github.com/goharbor/harbor/releases/tag/v1.7.6" }, { "type": "ADVISORY", "url": "https://github.com/goharbor/harbor/releases/tag/v1.8.3" }, { "type": "ADVISORY", "url": "https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/" }, { "type": "FIX", "url": "https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517" }, { "type": "FIX", "url": "https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ] }