CVE-2019-16097: Missing Authorization in Harbor
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99731%
CWE
Published
2/15/2022
Updated
9/18/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/goharbor/harbor | go | >= 1.7.0, <= 1.8.9 | 1.9.0-rc1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the UserAPI.Post
handler in user.go
which processed user creation requests. The pre-patch code lacked authorization checks to prevent non-admin users from setting admin privileges (HasAdminRole=true) during user registration. The commit diff shows added validation
(lines 328-333) that explicitly blocks non-admins from creating admin users, confirming this was the missing security control. The CVE description directly correlates to this missing authorization check in the user creation flow.