{"id":"CVE-2019-16919","details":"Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.","modified":"2026-04-10T04:15:58.647945Z","published":"2019-10-18T12:15:10.190Z","related":["GHSA-x2r2-w9c7-h624"],"references":[{"type":"ADVISORY","url":"http://www.vmware.com/security/advisories/VMSA-2019-0016.html"},{"type":"ADVISORY","url":"https://landscape.cncf.io/selected=harbor"},{"type":"FIX","url":"https://github.com/goharbor/harbor/security/advisories/GHSA-x2r2-w9c7-h624"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/goharbor/harbor","events":[{"introduced":"9b073a1941df311f30911b59751280e68158550d"},{"last_affected":"220e3dee88b561bd4a4a15bc6d0aaa83d63638b0"},{"introduced":"0"},{"last_affected":"31b34e3658116e74d1ef3dd713a681765288018c"},{"introduced":"8017a20e0c04a66367d71d6a9ea80c8430ee51ef"},{"last_affected":"afb558e7bcab81e98e56036f1e493cb5a3823a53"},{"introduced":"9b073a1941df311f30911b59751280e68158550d"},{"fixed":"fb692b7b826546ce9570214614aafc3726b8dbc6"}],"database_specific":{"versions":[{"introduced":"1.8.0"},{"last_affected":"1.8.3"},{"introduced":"0"},{"last_affected":"1.9.0"},{"introduced":"1.7.0"},{"last_affected":"1.7.6"},{"introduced":"1.8.0"},{"fixed":"1.8.4"}]}}],"versions":["0.1.0","0.1.1","0.3.0","0.3.5","0.3.5-rc","0.4.0","0.4.1","0.4.5","0.5.0","0.5.0-rc1","0.5.0-rc2","1.1.0-rc1","1.1.0-rc2","v1.1.0","v1.1.0-rc3","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.3.0-rc1","v1.4.0-rc1","v1.4.0-rc2","v1.7.0","v1.7.0-rc1","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.6-rc1","v1.8.0","v1.8.1","v1.8.2","v1.8.2-rc1","v1.8.2-rc2","v1.8.3","v1.8.3-rc1","v1.9.0","v1.9.0-rc1","v1.9.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16919.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}