Skip to content

v1.9.3
Compare
Choose a tag to compare
@wy65701436 wy65701436 released this 18 Nov 08:17
· 48 commits to release-1.9.0 since this release
v1.9.3
730d6d2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Resolved Issues

  • Full list of issues fixed in v1.9.3

  • Fix security issue: a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.
    GHSA-qcfv-8v29-469w

  • Fix security issue: An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.
    GHSA-rh89-vvrg-fg64

  • Fix security issue: a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user
    GHSA-3868-7c5x-4827

  • Fix security issue: Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters
    GHSA-6qj9-33j4-rvhg

  • Fix security issue: without protection against Cross-Site Request Forgery (CSRF), an attacker can execute any action on the platform in the context of the currently authenticated victim
    GHSA-gcqm-v682-ccw6

Known Issues:

  • Migrating to 1.9 can take a few minutes before API is callable. This is due to the implementation of quotas. #8935
  • Replication does not work between a Harbor instance of a previous version and a Harbor 1.9.0 instance and is not supported by Harbor team. #8673
Assets 7
Loading