ghsa-5757-v49g-f6r7
Vulnerability from github
Description
Under OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL.
For example: if a user clicks the URL with a malicious redirect_url:
https://<harbor_hostnmae>/c/oidc/login?redirect_url=https://<redirect_domain>
It might redirect the current user without their knowledge to a malicious site, posing a potential risk.
To avoid this issue, the redirect_url should be checked if it is a local path when reading it from the original request URL.
//src/core/controllers/oidc.go
...
redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
if !utils.IsLocalPath(redirectURL) {
log.Errorf("invalid redirect url: %v", redirectURL)
oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
return
}
if err := oc.SetSession(redirectURLKey, redirectURL); err != nil {
...
Impact
When Harbor is configured with OIDC authentication and users log in via a link outside the Harbor server, it might be vulnerable to an open redirect attack. This attack only involves the OIDC Harbor user, if the current Harbor instance is not configured with OIDC auth, the redirect_url doesn't exist and the Harbor instance is not vulnerable to the open redirect attack.
The following versions of Harbor are involved: <=Harbor 2.8.4, <=Harbor 2.9.2, <= Harbor 2.10.0
Patches
Harbor 2.8.5, Harbor 2.9.3, Harbor 2.10.1
Workarounds
When the Harbor is configured with OIDC authentication, warn the user not to log into the Harbor through external links.
References
N/A
Credit
Thanks Arnaud Cordier (arnaud@cordier.work)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22244"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-02T22:32:32Z",
"nvd_published_at": "2024-06-10T23:15:49Z",
"severity": "MODERATE"
},
"details": "### Description\nUnder OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL.\nFor example: if a user clicks the URL with a malicious redirect_url:\n```\nhttps://\u003charbor_hostnmae\u003e/c/oidc/login?redirect_url=https://\u003credirect_domain\u003e\n```\nIt might redirect the current user without their knowledge to a malicious site, posing a potential risk.\nTo avoid this issue, the redirect_url should be checked if it is a local path when reading it from the original request URL. \n```\n//src/core/controllers/oidc.go\n...\nredirectURL := oc.Ctx.Request.URL.Query().Get(\"redirect_url\")\nif !utils.IsLocalPath(redirectURL) {\n log.Errorf(\"invalid redirect url: %v\", redirectURL)\n oc.SendBadRequestError(fmt.Errorf(\"cannot redirect to other site\"))\n return\n}\nif err := oc.SetSession(redirectURLKey, redirectURL); err != nil {\n...\n```\n### Impact\nWhen Harbor is configured with OIDC authentication and users log in via a link outside the Harbor server, it might be vulnerable to an open redirect attack. This attack only involves the OIDC Harbor user, if the current Harbor instance is not configured with OIDC auth, the redirect_url doesn\u0027t exist and the Harbor instance is not vulnerable to the open redirect attack.\n\nThe following versions of Harbor are involved:\n\u003c=Harbor 2.8.4, \u003c=Harbor 2.9.2, \u003c= Harbor 2.10.0\n\n### Patches\nHarbor 2.8.5, Harbor 2.9.3, Harbor 2.10.1\n\n### Workarounds\nWhen the Harbor is configured with OIDC authentication, warn the user not to log into the Harbor through external links.\n\n### References\nN/A\n\n### Credit\nThanks Arnaud Cordier (arnaud@cordier.work)",
"id": "GHSA-5757-v49g-f6r7",
"modified": "2025-02-26T22:18:08Z",
"published": "2024-06-02T22:32:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22244"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open Redirect URL in Harbor"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.