Miggo Logo

CVE-2019-19023: Privilege Escalation in Cloud Native Computing Foundation Harbor

9.3

CVSS Score
3.1

Basic Information

EPSS Score
0.73104%
Published
5/18/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/goharbor/harborgo>= 1.7.0, < 1.8.61.8.6
github.com/goharbor/harborgo>= 1.9.0, < 1.9.31.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing ownership validation in API endpoints. The patches add critical checks in Prepare() methods:

  1. ProjectMemberAPI.Prepare now verifies member exists in the project context
  2. RobotAPI.Prepare adds project ID matching check These functions would appear in profilers during exploitation as they're the entry points for member/robot operations. The vulnerable versions lacked these checks, allowing attackers to modify resources across projects by supplying arbitrary IDs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lou* N*tiv* *omputin* *oun**tion **r*or prior to *.*.* *n* *.*.* **s * Privil*** *s**l*tion Vuln*r**ility in t** VMw*r* **r*or *ont*in*r R**istry *or t** Pivot*l Pl*t*orm.

Reasoning

T** vuln*r**ility st*mm** *rom missin* own*rs*ip v*li**tion in *PI *n*points. T** p*t***s *** *riti**l ****ks in Pr*p*r*() m*t*o*s: *. Proj**tM*m**r*PI.Pr*p*r* now v*ri*i*s m*m**r *xists in t** proj**t *ont*xt *. Ro*ot*PI.Pr*p*r* ***s proj**t I* m*t*