Vulnerability
VMware Harbor Registry is for store and distribute container images, It is an enterprise class registry server. By submitting a malicious message to Harbor registries, attackers will gain control of them. Non-admin users can create admin accounts in Harbor 1.7.0 or 1.8.2 by using the POST /api/users API; this is allowed by core/api/user.go.
Impacted Products
- VMware Cloud Foundation
- VMware Harbor Container Registry for PCF How to determine if the product has been threatened:
- You are using database authentication.
- You’ve allowed self-registration.
Mitigation / Precaution
- If your product relies on Harbor, you must immediately update to 1.7.6/1.8.3.
- In your Harbor Container Registry, disable self-registration for consumers.
- Instead of using DB authentication, use a different identity provider (such as an LDAP store).
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
