VMware yesterday issued a security advisory acknowledging a critical “broken access control” vulnerability found in VMware Cloud Foundation and Harbor Container Registry for Pivotal Cloud Foundry (PCF).
According to the advisory, malicious actors with administrative access to a project could potentially exploit the flaw in order to “create a robot account inside of an adjacent project via the Harbor API.” Doing so would allow them to push, pull or modify images in the targeted adjacent project.
Designated CVE-2019-16919, the vulnerability was assigned a maximum CVSSv3 base score of 9.1. Versions 1.8.x of the Harbor product, which is an enterprise-class registry server for storage and distribution of container images, are fixed with the release of v 1.8.4. (Versions 1.7.x are unaffected.) A patch is still pending for the company’s VMware Cloud Foundation integrated software stack.