Linuxfoundation Harbor — known CVE vulnerabilities
Every CVE whose affected-product data names Linuxfoundation Harbor, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (23)
CVE-2019-19023 — CVSS 8.8 (high): Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container…
CVE-2019-19025 — CVSS 8.8 (high): Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal…
CVE-2017-17697 — CVSS 8.6 (high): The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
CVE-2022-31666 — CVSS 7.7 (high): Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook…
CVE-2022-31670 — CVSS 7.7 (high): Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy…
CVE-2022-46463 — CVSS 7.5 (high): An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication…
CVE-2019-16919 — CVSS 7.5 (high): Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a…
CVE-2022-31671 — CVSS 7.4 (high): Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a…
CVE-2022-31668 — CVSS 7.4 (high): Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with…
CVE-2019-19029 — CVSS 7.2 (high): Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container…
CVE-2019-16097 — CVSS 6.5 (medium): core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is…
CVE-2024-22278 — CVSS 6.4 (medium): Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
CVE-2022-31667 — CVSS 6.4 (medium): Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t…
CVE-2022-31669 — CVSS 6.4 (medium): Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability…
CVE-2023-20902 — CVSS 5.9 (medium): A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an…
CVE-2019-19030 — CVSS 5.3 (medium): Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls…
CVE-2020-29662 — CVSS 5.3 (medium): In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
CVE-2019-19026 — CVSS 4.9 (medium): Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container…
CVE-2020-13788 — CVSS 4.3 (medium): Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on…
CVE-2019-3990 — CVSS 4.3 (medium): A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to…