CVE-2019-19025
published 2020-03-20CVE-2019-19025: Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
PriorityP337high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.02%
59.2th percentile
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 1.7.0 < 1.8.6 | 1.8.6 |
| github.com | goharbor_harbor | >= 1.9.0 < 1.9.3 | 1.9.3 |
| linuxfoundation | harbor | >= 1.7.0 < 1.8.6 | 1.8.6 |
| linuxfoundation | harbor | >= 1.9.0 < 1.9.3 | 1.9.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor
osv·2024-08-21
CVE-2019-19025 Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor
GHSA
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
ghsa·2021-05-18
CVE-2019-19025 [HIGH] CWE-352 Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.
If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.
https://github.com/goharbor/harbor/r
OSV
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
osv·2021-05-18
CVE-2019-19025 [HIGH] Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Successful exploitation of this issue will lead to 3rd parties executing actions on the platform of behalf of authenticated users and administrators.
If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.
https://github.com/goharbor/harbor/r
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/goharbor/harbor/security/advisorieshttps://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6https://tanzu.vmware.com/security/cve-2019-19025https://github.com/goharbor/harbor/security/advisorieshttps://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6https://tanzu.vmware.com/security/cve-2019-19025
2020-03-20
Published