CVE-2019-3990 (GCVE-0-2019-3990)
Vulnerability from cvelistv5 – Published: 2019-12-03 16:55 – Updated: 2024-08-04 19:26
VLAI
Summary
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.
Severity
4.3 (Medium)
CWE
- User Enumeration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.tenable.com/security/research/tra-2019-50 | x_refsource_MISC |
| https://github.com/goharbor/harbor/security/advis… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:26:27.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor versions 1.9.1 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-03T16:55:15.000Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"ID": "CVE-2019-3990",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Harbor",
"version": {
"version_data": [
{
"version_value": "Harbor versions 1.9.1 and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A User Enumeration flaw exists in Harbor. The issue is present in the \"/users\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \"search\" functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2019-50",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-50"
},
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg",
"refsource": "CONFIRM",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2019-3990",
"datePublished": "2019-12-03T16:55:15.000Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:26:27.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-3990",
"date": "2026-07-01",
"epss": "0.01037",
"percentile": "0.59672"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-3990\",\"sourceIdentifier\":\"vulnreport@tenable.com\",\"published\":\"2019-12-03T17:15:11.727\",\"lastModified\":\"2024-11-21T04:43:01.013\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A User Enumeration flaw exists in Harbor. The issue is present in the \\\"/users\\\" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the \\\"search\\\" functionality.\"},{\"lang\":\"es\",\"value\":\"Se presenta un fallo de Enumeraci\u00f3n de Usuarios en Harbor. El problema est\u00e1 presente en el endpoint de la API \\\"/users\\\". Se supone que este endpoint est\u00e1 restringido a los administradores. Esta restricci\u00f3n puede ser omitida y la informaci\u00f3n puede ser obtenida acerca de los usuarios registrados por medio de la funcionalidad \\\"search\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.0\",\"versionEndIncluding\":\"1.7.6\",\"matchCriteriaId\":\"F134317F-4296-42B6-8915-32810C62EA1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.8.0\",\"versionEndIncluding\":\"1.8.5\",\"matchCriteriaId\":\"026081A9-A57C-44AA-95CC-2E0A984748DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:1.9.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AD98173-4AAE-485F-BA41-F0E575EFD6E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB9B2E26-AD5F-4B79-A3E1-46355602B4ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:1.9.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C01B4A7-A85B-4057-9923-6AD82CE37C10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:1.9.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4003793B-3CA7-462C-9B33-8898D4A6CFD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:harbor:1.9.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8711FA8-827F-4887-BB20-53A4B0E6E9C9\"}]}]}],\"references\":[{\"url\":\"https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2019-50\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2019-50\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…