Simplicity Across Clouds Is Rare
91% of executives are looking to improve “consistency across [their] public cloud environments."
Applications Need to Be Modernized
68% of developers want to expand use of modern application frameworks, APIs and services.
Distributed Work Models Are Here to Stay
72% of enterprise employees are working from non-traditional environments.
Security Is a Top-Down Concern
Risk related to security, data and privacy issues remains the #1 multi-cloud challenge.
Get on a Faster Path to Prod
Build and deploy quickly and securely on any public cloud or on-premises Kubernetes cluster.
Simplify Kubernetes Operations
Build and operate a secure, multi-cloud container infrastructure at scale.
Pair with App Development Experts
Unlock value by modernizing your existing apps and building innovative new products.
Scale Your Business & Innovate
Secure, run, and manage modern apps at scale, across clouds with consistent operations, higher speed, and reduced risks.
Accelerate Cloud Transformation
Modernize infrastructure, ops and apps to reduce cross-cloud complexity, lower costs, and improve security.
Empower a Hybrid Workforce
Enable anywhere work with broad effective security, a frictionless employee experience, and reduced cost and complexity.
Run enterprise apps at scale with a consistent cloud infrastructure across public clouds, data centers and edge environments.
Deliver an Engaging Experience
Put employees first with device choice, flexibility, and seamless, consistent, high-quality experiences.
Secure Today’s Anywhere Workspace
Ease the move to Zero Trust with situational intelligence and connected control points.
Automate the Workspace
Manage to outcomes — not tasks — with intelligent compliance, workflow and performance management.
Secure & Connect Workloads
Operationalize consistent security and networking across apps, users, and entities with transparency built into our tools.
Protect APIs — the New Endpoints
Increase app velocity and centrally manage, secure, connect, and govern your clusters no matter where they reside.
Get built-in threat intelligence spanning users, endpoints and networks to evolve your protection in a dynamic landscape.
Deliver security and networking as a built-in distributed service across users, apps, devices, and workloads in any cloud.
Work with a VMware Partner
Partners deliver outcomes with their expertise and VMware technology, creating exceptional value for our mutual customers.
Become a Partner
Together with our partners, VMware is building the new multi-cloud ecosystem positioned to become essential to our customers.
|Synopsis||VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919)
A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Known Attack Vectors:
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
|Product||Version||Running On||CVE Identifier||CVSSV3||Severity||Fixed Version||Workarounds||Additional Documents|
|VMware Cloud Foundation*||x.x||Any
|VMware Harbor Container Registry for PCF||1.8.x||Any||CVE-2019-16919||9.1||Critical||1.8.4||None||None|
|VMware Harbor Container Registry for PCF||1.7.x||Any||CVE-2019-16919||N/A||N/A||Unaffected||None||None|
*VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed.
VMware Cloud Foundation 3.9.0
VMware Harbor Container Registry for PCF 1.8.4
FIRST CVSSv3 Calculator:
Mitre CVE Dictionary Links:
Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2019 VMware Inc. All rights reserved.