x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2019-3990

[tatianab]

CVE-2019-3990 references github.com/goharbor/harbor, which may be a Go module.

Description:
A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-3990
• web: https://www.tenable.com/security/research/tra-2019-50
• advisory: GHSA-6qj9-33j4-rvhg
• Imported by: https://pkg.go.dev/github.com/goharbor/harbor?tab=importedby

Cross references:

• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q9x4-q76f-5h5j #704 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-33p6-fx42-7rf5 #781 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-38r5-34mr-mvm7 #785 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-jr34-mff8-pc6f #853 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q6cj-6jvq-jwmh #863 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-rffr-c932-cpxv #876 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-w4x5-jqq4-qc8x #883 NOT_IMPORTABLE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31667, GHSA-xx9w-464f-7h6f #1009 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31669, GHSA-8c6p-v837-77f6 #1010 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31666, GHSA-jf8p-3vjh-pq94 #1011 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31670, GHSA-3637-v6vq-xqqw #1012 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31671, GHSA-q76q-q8hw-hmpw #1013 EFFECTIVELY_PRIVATE
• Module github.com/goharbor/harbor appears in issue x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-mq6f-5xh5-hgcf #2109 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/goharbor/harbor
      vulnerable_at: 2.9.1+incompatible
      packages:
        - package: Harbor
cves:
    - CVE-2019-3990
references:
    - web: https://www.tenable.com/security/research/tra-2019-50
    - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-6qj9-33j4-rvhg

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports