CVE-2019-19025 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2019-19025?

CVE-2019-19025 has a CVSS score of 8.8 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Harbor container registry software. It allows attackers to trick authenticated users into performing unintended actions on Harbor instances. Organizations running vulnerable Harbor versions are affected.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Harbor container registry software. It allows attackers to trick authenticated users into performing unintended actions on Harbor instances. Organizations running vulnerable Harbor versions are affected.

💻 Affected Systems

Products:

Cloud Native Computing Foundation Harbor
VMware Harbor Container Registry for Pivotal Platform

Versions: Harbor versions prior to 1.8.6 and prior to 1.9.3

Operating Systems: All platforms running Harbor

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create, modify, or delete container images, repositories, or user accounts, potentially compromising the entire container supply chain.

🟠

Likely Case

Unauthorized image pushes, repository modifications, or user privilege escalation leading to supply chain compromise.

🟢

If Mitigated

Limited impact with proper CSRF protections, authentication controls, and network segmentation in place.

🌐 Internet-Facing: HIGH - Internet-facing Harbor instances are directly exposed to CSRF attacks from malicious websites.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to attacks from compromised internal systems or phishing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks require user interaction (visiting malicious site while authenticated to Harbor) but are well-understood and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Harbor 1.8.6 or 1.9.3

Vendor Advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6

Restart Required: Yes

Instructions:

1. Backup Harbor configuration and data. 2. Stop Harbor services. 3. Upgrade to Harbor 1.8.6 or 1.9.3 using official upgrade documentation. 4. Restart Harbor services. 5. Verify functionality.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection headers to Harbor deployment

Configure reverse proxy (nginx/apache) to add CSRF tokens
Implement SameSite cookie attributes

Network Segmentation

all

Restrict Harbor access to trusted networks only

Configure firewall rules to limit Harbor access
Implement network segmentation between Harbor and user networks

🧯 If You Can't Patch

Implement strict SameSite cookie policies and CSRF tokens via reverse proxy
Restrict Harbor access to internal networks only and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check Harbor version via web interface or API. Vulnerable if version < 1.8.6 or between 1.9.0 and 1.9.2.

Check Version:

curl -k https://harbor-host/api/systeminfo | grep "harbor_version"

Verify Fix Applied:

Confirm Harbor version is 1.8.6 or higher, or 1.9.3 or higher. Test CSRF protection by attempting to submit forms without valid tokens.

📡 Detection & Monitoring

Log Indicators:

Unexpected repository modifications
Unauthorized image pushes from unusual user agents
Failed CSRF token validation attempts

Network Indicators:

HTTP requests to Harbor API without Referer headers
Cross-origin requests to Harbor endpoints

SIEM Query:

source="harbor" AND (action="create" OR action="modify" OR action="delete") AND user_agent CONTAINS "malicious"

📊 Metadata

CVE ID: CVE-2019-19025

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 20, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/goharbor/harbor/security/advisories Third Party Advisory
https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 Third Party Advisory
https://tanzu.vmware.com/security/cve-2019-19025 Third Party Advisory
https://github.com/goharbor/harbor/security/advisories Third Party Advisory
https://github.com/goharbor/harbor/security/advisories/GHSA-gcqm-v682-ccw6 Third Party Advisory
https://tanzu.vmware.com/security/cve-2019-19025 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19025, you might also want to check these: