ghsa-q9x4-q76f-5h5j
Vulnerability from github
Published
2022-02-11 23:17
Modified
2023-01-10 15:48
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)
Details

Impact

Sean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist, and which do not. This would likely be accomplished by either providing a wordlist or enumerating through a sequence an unauthenticated attacker is able to enumerate resources on the system. This provides them with information such as existing projects, repositories, etc.

The vulnerability was immediately fixed by the Harbor team.

Issue

The following API resources where found to be vulnerable to enumeration attacks: /api/chartrepo/{repo}/prov (POST) /api/chartrepo/{repo}/charts (GET, POST) /api/chartrepo/{repo}/charts/{name} (GET, DELETE) /api/chartrepo/{repo}/charts/{name}/{version} (GET, DELETE) /api/labels?name={name}&scope=p (GET) /api/repositories?project_id={id} (GET) /api/repositories/{repo_name}/ (GET, PUT, DELETE) /api/repositories/{repo_name}/tags (GET) /api/repositories/{repo_name}/tags/{tag}/manifest?version={version} (GET) /api/repositories/{repo_name/{tag}/labels (GET) /api/projects?project_name={name} (HEAD) /api/projects/{project_id}/summary (GET) /api/projects/{project_id}/logs (GET) /api/projects/{project_id} (GET, PUT, DELETE) /api/projects/{project_id}/metadatas (GET, POST) /api/projects/{project_id}/metadatas/{metadata_name} (GET, PUT)

Known Attack Vectors

Successful exploitation of this issue will lead to bad actors identifying which resources exist in Harbor without requiring authentication for the Harbor API.

Patches

If your product uses the affected releases of Harbor, update to version 1.10.3 or 2.0.1 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v1.10.3 https://github.com/goharbor/harbor/releases/tag/v2.0.1

Workarounds

There is no known workaround

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io View our security policy at https://github.com/goharbor/harbor/security/policy

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T18:52:37Z",
    "nvd_published_at": "2022-12-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "# Impact\nSean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist, and which do not. This would likely be accomplished by either providing a wordlist or enumerating through a sequence an\nunauthenticated attacker is able to enumerate resources on the system. This provides them with information such as existing projects, repositories, etc.\n\nThe vulnerability was immediately fixed by the Harbor team.  \n\n# Issue \nThe following API resources where found to be vulnerable to enumeration attacks:\n/api/chartrepo/{repo}/prov (POST)\n/api/chartrepo/{repo}/charts (GET, POST)\n/api/chartrepo/{repo}/charts/{name} (GET, DELETE)\n/api/chartrepo/{repo}/charts/{name}/{version} (GET, DELETE)\n/api/labels?name={name}\u0026scope=p (GET)\n/api/repositories?project_id={id} (GET)\n/api/repositories/{repo_name}/ (GET, PUT, DELETE)\n/api/repositories/{repo_name}/tags (GET)\n/api/repositories/{repo_name}/tags/{tag}/manifest?version={version} (GET)\n/api/repositories/{repo_name/{tag}/labels (GET)\n/api/projects?project_name={name} (HEAD)\n/api/projects/{project_id}/summary (GET)\n/api/projects/{project_id}/logs (GET)\n/api/projects/{project_id} (GET, PUT, DELETE)\n/api/projects/{project_id}/metadatas (GET, POST)\n/api/projects/{project_id}/metadatas/{metadata_name} (GET, PUT)\n\n# Known Attack Vectors\nSuccessful exploitation of this issue will lead to bad actors identifying which resources exist in Harbor without requiring authentication for the Harbor API.\n\n# Patches\nIf your product uses the affected releases of Harbor, update to version 1.10.3 or 2.0.1 to patch this issue immediately.\n\nhttps://github.com/goharbor/harbor/releases/tag/v1.10.3\nhttps://github.com/goharbor/harbor/releases/tag/v2.0.1\n\n# Workarounds\nThere is no known workaround\n\n# For more information\nIf you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io\nView our security policy at https://github.com/goharbor/harbor/security/policy",
  "id": "GHSA-q9x4-q76f-5h5j",
  "modified": "2023-01-10T15:48:41Z",
  "published": "2022-02-11T23:17:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.