{"id":"CVE-2019-16097","details":"core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.","aliases":["GHSA-9wvh-ff5f-xjpj","GO-2022-0818"],"modified":"2026-04-10T04:15:50.749337Z","published":"2019-09-08T16:15:11.820Z","references":[{"type":"ADVISORY","url":"http://www.vmware.com/security/advisories/VMSA-2019-0015.html"},{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/releases/tag/v1.7.6"},{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/releases/tag/v1.8.3"},{"type":"ADVISORY","url":"https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/"},{"type":"FIX","url":"https://github.com/goharbor/harbor/commit/b6db8a8a106259ec9a2c48be8a380cb3b37cf517"},{"type":"FIX","url":"https://github.com/goharbor/harbor/compare/v1.8.2...v1.9.0-rc1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/goharbor/harbor","events":[{"introduced":"0"},{"last_affected":"8017a20e0c04a66367d71d6a9ea80c8430ee51ef"},{"introduced":"0"},{"last_affected":"bcd6947fcc76ede0893c9885b1945ead7bfc6866"},{"introduced":"0"},{"last_affected":"3b3311b4f3aa78d75af3a7f230d5a53ec47d775a"},{"introduced":"0"},{"last_affected":"c380652540cb8061cff50f0ce2115fc6d217019b"},{"introduced":"0"},{"last_affected":"98ab7f5644d691c34824d790697a8c240f3aaf8d"},{"introduced":"0"},{"last_affected":"46882f220d49b7492fb37f69fc7f996a3dc57864"},{"introduced":"0"},{"last_affected":"ce6a623748a74f3a779749a355327bb2e80f3ff8"},{"introduced":"0"},{"last_affected":"a8f6543ac3a21327745f0990df0e13910fbe579b"},{"introduced":"0"},{"last_affected":"9b073a1941df311f30911b59751280e68158550d"},{"introduced":"0"},{"last_affected":"34f02189d72e72ebb5871265b5554d1c0c25bb5e"},{"introduced":"0"},{"last_affected":"25bb24cacbad985246dffbdb883d4bfecaf6aa52"},{"introduced":"0"},{"last_affected":"16b59c41cdbe56fdd6a61e6794621885198edebe"},{"introduced":"0"},{"last_affected":"1c3a3d532f6f315ed2f948631c9e0498e15e715a"},{"introduced":"0"},{"last_affected":"ddc119a1547098e978b226420c7b45f5bfd691e8"},{"introduced":"0"},{"last_affected":"1c3a3d532f6f315ed2f948631c9e0498e15e715a"},{"introduced":"0"},{"last_affected":"3ab5d5f0e55d905f5651ccc6c08ada719c26eb90"},{"fixed":"b6db8a8a106259ec9a2c48be8a380cb3b37cf517"},{"fixed":"afb558e7bcab81e98e56036f1e493cb5a3823a53"},{"fixed":"220e3dee88b561bd4a4a15bc6d0aaa83d63638b0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.7.0-NA"},{"introduced":"0"},{"last_affected":"1.7.0-rc1"},{"introduced":"0"},{"last_affected":"1.7.0-rc2"},{"introduced":"0"},{"last_affected":"1.7.1"},{"introduced":"0"},{"last_affected":"1.7.2"},{"introduced":"0"},{"last_affected":"1.7.3"},{"introduced":"0"},{"last_affected":"1.7.4"},{"introduced":"0"},{"last_affected":"1.7.5"},{"introduced":"0"},{"last_affected":"1.8.0-NA"},{"introduced":"0"},{"last_affected":"1.8.0-rc1"},{"introduced":"0"},{"last_affected":"1.8.0-rc2"},{"introduced":"0"},{"last_affected":"1.8.1"},{"introduced":"0"},{"last_affected":"1.8.2-NA"},{"introduced":"0"},{"last_affected":"1.8.2-rc1"},{"introduced":"0"},{"last_affected":"1.8.2-rc2"},{"introduced":"0"},{"last_affected":"1.9.0-rc1"}]}}],"versions":["0.1.0","0.1.1","0.3.0","0.3.5","0.3.5-rc","0.4.0","0.4.1","0.4.5","0.5.0","0.5.0-rc1","0.5.0-rc2","1.1.0-rc1","1.1.0-rc2","v1.1.0","v1.1.0-rc3","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.3.0-rc1","v1.4.0-rc1","v1.4.0-rc2","v1.7.0","v1.7.0-rc1","v1.7.0-rc2","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.8.0","v1.8.0-rc1","v1.8.0-rc2","v1.8.1","v1.8.2","v1.8.2-rc1","v1.8.2-rc2","v1.8.3-rc1","v1.9.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16097.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}