CVE-2019-19030

CVSS 5.3 MEDIUMEPSS 1.9%CWE-204

In short

Harbor's API reveals whether resources exist by returning different HTTP status codes to unauthenticated users, allowing attackers to discover what projects, repositories, or other resources are stored in the system without needing login credentials.

Technical detail

CWE-204 information disclosure vulnerability in Harbor API endpoints that respond with status codes (e.g., 404 vs 403) allowing unauthenticated enumeration of resources. Requires no authentication; impact is disclosure of system inventory without authorization.

Summary generated and translated by AI from the official description.

Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j