|Synopsis||VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919)
A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Known Attack Vectors:
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
|Product||Version||Running On||CVE Identifier||CVSSV3||Severity||Fixed Version||Workarounds||Additional Documents|
|VMware Cloud Foundation*||x.x||Any
|VMware Harbor Container Registry for PCF||1.8.x||Any||CVE-2019-16919||9.1||Critical||1.8.4||None||None|
|VMware Harbor Container Registry for PCF||1.7.x||Any||CVE-2019-16919||N/A||N/A||Unaffected||None||None|
*VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed.
VMware Cloud Foundation 3.9.0
VMware Harbor Container Registry for PCF 1.8.4
FIRST CVSSv3 Calculator:
Mitre CVE Dictionary Links:
Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2019 VMware Inc. All rights reserved.