Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to reproduce the loophole CVE-2019-16097 registered by any administrator in Harbor. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

I. brief introduction

Harbor is an English word, meaning harbor, what does harbor do? it means to park goods, while goods are packed in containers. When it comes to containers, we have to mention Docker containers, because the technology of docker containers is based on the principle of containers. Therefore, Harbor is an enterprise-class Registry service for storing Docker images.

Registry is an official private repository image of Dcoker. You can tag the local image and push it to the private repository of containers starting with Registry. Enterprises can use Dokcerfile to generate their own images according to their own needs, and push them to private repositories, which can greatly improve the efficiency of pulling images.

Second, vulnerability description

CVE-2019-16097 is an arbitrary administrator registration vulnerability of Harbor. As the name implies, this vulnerability exists in the registration page of the website. The registration feature is open by default. Attackers can construct request packets and add an administrator account after adding the poc parameter. Poc has been published. Customers with old harbor are advised to update as soon as possible.

III. Scope of influence

Vulnerability impact

Harbor before 1.7.6 Harbor before 1.8.3

IV. Recurrence

Download address:

Https://github.com/mai-lang-chai/Middleware-Vulnerability-detection/tree/master/Harbor/CVE-2019-16097%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E6%B3%A8%E5%86%8C%E6%BC%8F%E6%B4%9E

Poc: registration page packet add parameter "has_admin_role": true

V. loophole defense

Upgrade the version to a version that has fixed this vulnerability, or turn off the registration feature.

After reading the above, do you have any further understanding of how to reproduce the Harbor arbitrary administrator registration vulnerability CVE-2019-16097? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.