CVE-2019-3990

MEDIUM

Harbor >=1.7.0 <1.7.6 - User Enumeration via Search Functionality

Title source: llm
STIX 2.1

Description

A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2019-50
Patch, Third Party Advisory x_refsource_confirm
https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg

Scores

CVSS v3 4.3
EPSS 0.0031
EPSS Percentile 54.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-269
Status published
Products (3)
linuxfoundation/harbor 1.9.0 (3 CPE variants)
linuxfoundation/harbor 1.9.1 (2 CPE variants)
linuxfoundation/harbor 1.7.0 - 1.7.6
Published Dec 03, 2019
Tracked Since Feb 18, 2026