CVE-2019-19030
Description
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-19030 allows unauthenticated API users to enumerate Harbor resources via HTTP status codes in responses.
Vulnerability
Overview
CVE-2019-19030 is an enumeration vulnerability in the Cloud Native Computing Foundation's Harbor, a cloud native registry for storing and scanning container images and Helm charts. Discovered by Sean Wright from Secureworks, the vulnerability stems from the fact that certain Harbor API endpoints return different HTTP status codes depending on whether a requested resource (such as a project, repository, or chart) exists, even when the request is unauthenticated. By observing these status codes, an attacker can systematically determine which resources exist on the Harbor instance [3].
Affected
Endpoints and Attack Vector
An unauthenticated attacker can exploit this vulnerability by making HTTP requests to a variety of API endpoints. The advisory from Harbor lists over a dozen affected APIs, including /api/projects?project_name={name} (HEAD), /api/repositories?project_id={id} (GET), and /api/chartrepo/{repo}/charts/{name} (GET, DELETE), among others [3]. The attack does not require any authentication; the attacker simply sends requests with different resource names or IDs and deduces existence from the HTTP response code. This is a classic enumeration technique that can be performed with wordlists or sequential ID scans.
Impact
Successful exploitation provides an unauthenticated attacker with the ability to map out the resources stored in the Harbor registry. This includes discovering existing projects, repositories, charts, labels, and metadata [3]. While this information disclosure does not directly lead to data exfiltration or system compromise, it significantly reduces the attacker's uncertainty, enabling more targeted follow-up attacks. For example, knowing a specific project name or repository ID could help an attacker focus on credentials or known vulnerabilities associated with those resources [2][3].
Mitigation and
Patch
The Harbor development team fixed this vulnerability immediately after its discovery. The patch is included in Harbor versions 1.10.3 and 2.0.1 [3]. All users running versions before these are advised to upgrade as soon as possible. There is no known workaround for this vulnerability [3]. The Harbor project's source code is available on GitHub under the Cloud Native Computing Foundation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.7.0, < 1.10.3 | 1.10.3 |
github.com/goharbor/harborGo | >= 2.0.0, < 2.0.1 | 2.0.1 |
Affected products
2- Cloud Native Computing Foundation/Harbordescription
Patches
2d714b3ea8b10Merge pull request #12330 from heww/cherry-pick-pr-12322
1 file changed · +29 −20
make/photon/common/install_cert.sh+29 −20 modified@@ -2,30 +2,39 @@ set -e +if ! grep -q "Photon" /etc/lsb-release; then + echo "Current OS is not Photon, skip appending ca bundle" + exit 0 +fi + if [ ! -f ~/ca-bundle.crt.original ]; then cp /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt.original fi cp ~/ca-bundle.crt.original /etc/pki/tls/certs/ca-bundle.crt -if [ "$(ls -A /harbor_cust_cert)" ]; then - if grep -q "Photon" /etc/lsb-release; then - echo "Appending trust CA to ca-bundle ..." - for z in /harbor_cust_cert/*; do - case ${z} in - *.crt | *.ca | *.ca-bundle | *.pem) - if [ -d "$z" ]; then - echo "$z is dirictory, skip it ..." - else - cat $z >> /etc/pki/tls/certs/ca-bundle.crt - echo " $z Appended ..." - fi - ;; - *) echo "$z is Not ca file ..." ;; - esac - done - echo "CA appending is Done." - else - echo "Current OS is not Photon, skip appending ca bundle" - fi +# Install /etc/harbor/ssl/{component}/ca.crt to trust CA. +echo "Appending internal tls trust CA to ca-bundle ..." +for caFile in `find /etc/harbor/ssl -maxdepth 2 -name ca.crt`; do + cat $caFile >> /etc/pki/tls/certs/ca-bundle.crt + echo "Internal tls trust CA $caFile appended ..." +done +echo "Internal tls trust CA appending is Done." + +if [[ -d /harbor_cust_cert && -n "$(ls -A /harbor_cust_cert)" ]]; then + echo "Appending trust CA to ca-bundle ..." + for z in /harbor_cust_cert/*; do + case ${z} in + *.crt | *.ca | *.ca-bundle | *.pem) + if [ -d "$z" ]; then + echo "$z is dirictory, skip it ..." + else + cat $z >> /etc/pki/tls/certs/ca-bundle.crt + echo " $z Appended ..." + fi + ;; + *) echo "$z is Not ca file ..." ;; + esac + done + echo "CA appending is Done." fi
afab4169f6aaMerge pull request #12113 from danfengliu/remove-close-scanner-prompt-header-step
2 files changed · +14 −1
tests/resources/Harbor-Pages/HomePage.robot+1 −1 modified@@ -31,7 +31,7 @@ Sign In Harbor Retry Button Click ${login_btn} Log To Console ${user} Retry Wait Element xpath=//span[contains(., '${user}')] - Click Element If Visible ${close_scan_plugin_mesg} + #Click Element If Visible ${close_scan_plugin_mesg} #Run Keyword If ${is_close_scan_plugin_mesg}==${true} Run Keyword And Ignore Error Retry Element Click ${close_scan_plugin_mesg} Capture Screenshot And Source
tests/robot-cases/Group1-Nightly/Replication.robot+13 −0 modified@@ -38,6 +38,7 @@ Test Case - Get Harbor Version Test Case - Pro Replication Rules Add Init Chrome Driver Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Switch To Replication Manage Check New Rule UI Without Endpoint Close Browser @@ -47,6 +48,7 @@ Test Case - Harbor Endpoint Verification Init Chrome Driver ${d}= Get Current Date result_format=%m%s Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} + Click Element If Visible ${close_scan_plugin_mesg} Switch To Registries Create A New Endpoint harbor edp1${d} https://${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} N Endpoint Is Pingable @@ -59,6 +61,7 @@ Test Case - DockerHub Endpoint Add Init Chrome Driver ${d}= Get Current Date result_format=%m%s Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} + Click Element If Visible ${close_scan_plugin_mesg} Switch To Registries Create A New Endpoint docker-hub edp1${d} https://hub.docker.com/ danfengliu Aa123456 Y Close Browser @@ -166,6 +169,7 @@ Test Case - Replication Of Push Images from Self To Harbor ${d}= Get Current Date result_format=%m%s #login source Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project${d} Push Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} hello-world Push Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} busybox:latest @@ -177,15 +181,18 @@ Test Case - Replication Of Push Images from Self To Harbor #logout and login target Logout Harbor Sign In Harbor https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project_dest${d} #logout and login source Logout Harbor Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Switch To Replication Manage Select Rule And Replicate rule${d} Sleep 20 Logout Harbor Sign In Harbor https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Image Should Be Replicated To Project project_dest${d} hello-world Image Should Be Replicated To Project project_dest${d} busybox Close Browser @@ -195,6 +202,7 @@ Test Case - Replication Of Push Chart from Self To Harbor ${d}= Get Current Date result_format=%m%s #login source Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project${d} Go Into Project project${d} has_image=${false} Switch To Project Charts @@ -206,15 +214,18 @@ Test Case - Replication Of Push Chart from Self To Harbor #logout and login target Logout Harbor Sign In Harbor https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project_dest${d} #logout and login source Logout Harbor Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Switch To Replication Manage Select Rule And Replicate rule${d} Sleep 20 Logout Harbor Sign In Harbor https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Go Into Project project_dest${d} has_image=${false} Switch To Project Charts Go Into Chart Version ${harbor_chart_name} @@ -227,6 +238,7 @@ Test Case - Replication Of Push Images from Self To Harbor By Push Event ${d}= Get Current Date result_format=%m%s #login source Sign In Harbor ${HARBOR_URL} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project${d} Switch To Registries Create A New Endpoint harbor e${d} https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} @@ -236,6 +248,7 @@ Test Case - Replication Of Push Images from Self To Harbor By Push Event #logout and login target Logout Harbor Sign In Harbor https://${ip1} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} is_close_scan_plugin_mesg=${true} + Click Element If Visible ${close_scan_plugin_mesg} Create An New Project project_dest${d} Push Image ${ip} ${HARBOR_ADMIN} ${HARBOR_PASSWORD} project${d} centos Image Should Be Replicated To Project project_dest${d} centos
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.