Advisory ID VMSA-2019-0016
Advisory Severity Critical
CVSSv3 Range 9.1
Synopsis VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919)
Issue Date 2019-10-15
Updated On 2019-12-11
CVE(s) CVE-2019-16919
1. Impacted Products
  • VMware Cloud Foundation
  • VMware Harbor Container Registry for PCF
2. Introduction
A broken access control vulnerability in Harbor, a Cloud Native Computing Foundation (CNCF) Open Source Project, was disclosed. Patches are available to remediate this vulnerability in affected VMware products.
3. Broken access control vulnerability in Harbor API (CVE-2019-16919)


A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.


Known Attack Vectors:

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.



To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.





Additional Documentation:









Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
VMware Cloud Foundation* x.x Any
CVE-2019-16919 9.1 Critical 3.9.0 None None
VMware Harbor Container Registry for PCF 1.8.x Any CVE-2019-16919 9.1 Critical 1.8.4 None None
VMware Harbor Container Registry for PCF 1.7.x Any CVE-2019-16919 N/A N/A Unaffected None None

*VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed.


4. References

VMware Cloud Foundation 3.9.0

VMware Harbor Container Registry for PCF 1.8.4



FIRST CVSSv3 Calculator:


Mitre CVE Dictionary Links:


5. Change log

2019-10-15: VMSA-2019-0016 

Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF.


6. Contact


E-mail list for product security notifications and announcements:


This Security Advisory is posted to the following lists:



PGP key at:


VMware Security Advisories


VMware Security Response Policy


VMware Lifecycle Support Phases


VMware Security & Compliance Blog




Copyright 2019 VMware Inc. All rights reserved.


Sign up for Security Advisories

Enter your email address: