CVE-2019-16097

Name of the Vulnerable Software and Affected Versions Harbor versions 1.7.0 through 1.8.2

Description The issue allows non-admin users to create admin accounts via the "POST /api/users" API endpoint, when Harbor is set up with a DB as the authentication backend and allows users to do self-registration. This enables privilege escalation from a non-admin to an admin account.

Recommendations For Harbor versions 1.7.0 through 1.8.2, update to version 1.7.6, 1.8.3, or 1.9.0 to resolve the issue. As a temporary workaround, consider configuring Harbor to use a non-DB authentication backend such as LDAP.