CVE-2019-19023: 
Harbor vulnerability analysis and mitigation

Cloud Native Computing Foundation Harbor, in versions prior to 1.8.6 and 1.9.3, contained a privilege escalation vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. The vulnerability was disclosed in December 2019 and assigned CVE-2019-19023. The vulnerability affected Harbor container registry installations across multiple versions (VMware Advisory, NVD).

The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability stems from the Harbor API's failure to enforce proper permissions and scope on API requests to modify email addresses. This security flaw allows manipulation of user email addresses through API calls without appropriate permission validation (VMware Advisory).

The vulnerability allows a normal user to gain administrator account privileges through unauthorized elevation. An attacker could exploit this by making an API call to modify the email address of a specific user, then reset the password for that email address to gain access to the account with elevated privileges (VMware Advisory).

Organizations running affected versions should upgrade to Harbor version 1.8.6 or 1.9.3, depending on their current version track. These patched versions include fixes for the privilege escalation vulnerability (VMware Advisory).