The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Known Attack Vectors
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.
There is no workaround for this issue
For more information
If you have any questions or comments about this advisory, contact firstname.lastname@example.org
View our security policy at https://github.com/goharbor/harbor/security/policy