CVE-2019-19029
Description
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Harbor before 1.8.6/1.9.3 allows SQL injection via user-groups, enabling disclosure of secrets and privilege escalation.
Vulnerability
Overview
Cloud Native Computing Foundation Harbor, versions prior to 1.8.6 and 1.9.3, contains a SQL injection vulnerability in the processing of user-groups [1][4]. The flaw allows an authenticated user with Project-Admin privileges to craft malicious input that bypasses input sanitization, executing arbitrary SQL queries against the backend database [4].
Exploitation
To exploit this vulnerability, an attacker must have a valid Harbor account with at least Project-Admin permissions for a given project [4]. The injection occurs when the attacker manipulates user-group parameters, which are insufficiently sanitized before being used in SQL statements [2]. No special network position is required beyond standard API access to Harbor's management endpoints.
Impact
Successful exploitation enables the attacker to read secrets stored in the database, such as credentials or tokens, as well as perform privilege escalation to gain broader control over the registry [4]. This could lead to unauthorized access to container images, configuration changes, or further compromise of the Harbor instance and its integrated systems.
Mitigation
Harbor versions 1.8.6 and 1.9.3 contain the fix for this vulnerability [4]. Users running earlier versions should upgrade immediately. No workarounds are documented. The issue was discovered and reported by Cure53 [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.7.0, < 1.8.6 | 1.8.6 |
github.com/goharbor/harborGo | >= 1.9.0, < 1.9.3 | 1.9.3 |
Affected products
2- Cloud Native Computing Foundation/Harbordescription
Patches
2730d6d28a567Merge pull request #9893 from stonezdj/remove_tedious_msg_190
1 file changed · +1 −1
src/common/config/manager.go+1 −1 modified@@ -189,7 +189,7 @@ func (c *CfgManager) Save() error { func (c *CfgManager) Get(key string) *metadata.ConfigureValue { configValue, err := c.store.Get(key) if err != nil { - log.Errorf("failed to get key %v, error: %v", key, err) + log.Debugf("failed to get key %v, error: %v", key, err) configValue = &metadata.ConfigureValue{} } return configValue
5d2c4c2df6bbMerge pull request #9890 from reasonerjt/bump-up-clair-1.8.0
1 file changed · +1 −1
Makefile+1 −1 modified@@ -102,7 +102,7 @@ PREPARE_VERSION_NAME=versions REGISTRYVERSION=v2.7.1-patch-2819 NGINXVERSION=$(VERSIONTAG) NOTARYVERSION=v0.6.1 -CLAIRVERSION=v2.0.8 +CLAIRVERSION=v2.1.0 CLAIRDBVERSION=$(VERSIONTAG) MIGRATORVERSION=$(VERSIONTAG) REDISVERSION=$(VERSIONTAG)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jr34-mff8-pc6fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19029ghsaADVISORY
- github.com/goharbor/harbor/security/advisoriesghsax_refsource_MISCWEB
- github.com/goharbor/harbor/security/advisories/GHSA-qcfv-8v29-469wghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0853ghsaWEB
- tanzu.vmware.com/security/cve-2019-19029ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.