By 
According to reliable reports, a flaw that enables any user to raise privileges to manage have impacted harbor registries with default settings.
The susceptibility, tracked as CVE-2019-16097, could let an attacker capture Harbor registries via spiteful requests. Security researchers revealed around 1,300 registries that are vulnerable to the Internet with default settings as well.
An attacker misusing this susceptibility could download private projects and review them, erase images in the registry, or even ruin the registry by replacing its images with their own.
“The attacker can create a new user and set it to be admin. After that, they can connect to Harbor registry via the Docker command line tool with the new credentials and replace the current images with anything they desire. These can include malware, crypto miners or even worse,” the researchers explain.
The issue, researchers say, lives in one of the available API calls, and a user can send a post request to access the code in charge with the registration of new users.
“I wrote a simple Python script that sends a post request to /api/users in order to create a new user with admin privileges, by setting the ‘has_admin_role’ parameter in the request body to True. After running this script, all we need to do is to open Harbor in the browser and just sign in to the user we created,” one of Palo Alto Networks’ researchers Aviv Sasson explains.
The researcher correctly revealed the susceptibility to Harbor, which has already issued patches to address it. Harbor versions 1.7.6 and 1.8.3 include the fix, which stops non-users from producing a new admin user.
Impacted versions are 1.7.0 – 1.8.2 and all users are counseled to update their Harbor installations to stop others from acquiring full access to their registry.
