Miggo Logo

CVE-2019-16097: Missing Authorization in Harbor

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.99731%
Published
2/15/2022
Updated
9/18/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/goharbor/harborgo>= 1.7.0, <= 1.8.91.9.0-rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the UserAPI.Post handler in user.go which processed user creation requests. The pre-patch code lacked authorization checks to prevent non-admin users from setting admin privileges (HasAdminRole=true) during user registration. The commit diff shows added validation (lines 328-333) that explicitly blocks non-admins from creating admin users, confirming this was the missing security control. The CVE description directly correlates to this missing authorization check in the user creation flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*or*/*pi/us*r.*o in **r*or *.*.* t*rou** *.*.* *llows non-**min us*rs to *r**t* **min ***ounts vi* t** POST /*pi/us*rs *PI. T*is is *ix** in *.*.*-r**.

Reasoning

T** vuln*r**ility st*ms *rom t** `Us*r*PI.Post` **n*l*r in `us*r.*o` w*i** pro**ss** us*r *r**tion r*qu*sts. T** pr*-p*t** *o** l**k** *ut*oriz*tion ****ks to pr*v*nt non-**min us*rs *rom s*ttin* **min privil***s (**s**minRol*=tru*) *urin* us*r r**is