CVE-2019-19023: Privilege Escalation in Cloud Native Computing Foundation Harbor
9.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73104%
CWE
Published
5/18/2021
Updated
2/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/goharbor/harbor | go | >= 1.7.0, < 1.8.6 | 1.8.6 |
github.com/goharbor/harbor | go | >= 1.9.0, < 1.9.3 | 1.9.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing ownership validation in API endpoints. The patches add critical checks in Prepare() methods:
- ProjectMemberAPI.Prepare now verifies member exists in the project context
- RobotAPI.Prepare adds project ID matching check These functions would appear in profilers during exploitation as they're the entry points for member/robot operations. The vulnerable versions lacked these checks, allowing attackers to modify resources across projects by supplying arbitrary IDs.