GHSA-Q9X4-Q76F-5H5J

Vulnerability from github – Published: 2022-02-11 23:17 – Updated: 2023-01-10 15:48
VLAI?
Summary
Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)
Details

Impact

Sean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist, and which do not. This would likely be accomplished by either providing a wordlist or enumerating through a sequence an unauthenticated attacker is able to enumerate resources on the system. This provides them with information such as existing projects, repositories, etc.

The vulnerability was immediately fixed by the Harbor team.

Issue

The following API resources where found to be vulnerable to enumeration attacks: /api/chartrepo/{repo}/prov (POST) /api/chartrepo/{repo}/charts (GET, POST) /api/chartrepo/{repo}/charts/{name} (GET, DELETE) /api/chartrepo/{repo}/charts/{name}/{version} (GET, DELETE) /api/labels?name={name}&scope=p (GET) /api/repositories?project_id={id} (GET) /api/repositories/{repo_name}/ (GET, PUT, DELETE) /api/repositories/{repo_name}/tags (GET) /api/repositories/{repo_name}/tags/{tag}/manifest?version={version} (GET) /api/repositories/{repo_name/{tag}/labels (GET) /api/projects?project_name={name} (HEAD) /api/projects/{project_id}/summary (GET) /api/projects/{project_id}/logs (GET) /api/projects/{project_id} (GET, PUT, DELETE) /api/projects/{project_id}/metadatas (GET, POST) /api/projects/{project_id}/metadatas/{metadata_name} (GET, PUT)

Known Attack Vectors

Successful exploitation of this issue will lead to bad actors identifying which resources exist in Harbor without requiring authentication for the Harbor API.

Patches

If your product uses the affected releases of Harbor, update to version 1.10.3 or 2.0.1 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v1.10.3 https://github.com/goharbor/harbor/releases/tag/v2.0.1

Workarounds

There is no known workaround

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io View our security policy at https://github.com/goharbor/harbor/security/policy

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T18:52:37Z",
    "nvd_published_at": "2022-12-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "# Impact\nSean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist, and which do not. This would likely be accomplished by either providing a wordlist or enumerating through a sequence an\nunauthenticated attacker is able to enumerate resources on the system. This provides them with information such as existing projects, repositories, etc.\n\nThe vulnerability was immediately fixed by the Harbor team.  \n\n# Issue \nThe following API resources where found to be vulnerable to enumeration attacks:\n/api/chartrepo/{repo}/prov (POST)\n/api/chartrepo/{repo}/charts (GET, POST)\n/api/chartrepo/{repo}/charts/{name} (GET, DELETE)\n/api/chartrepo/{repo}/charts/{name}/{version} (GET, DELETE)\n/api/labels?name={name}\u0026scope=p (GET)\n/api/repositories?project_id={id} (GET)\n/api/repositories/{repo_name}/ (GET, PUT, DELETE)\n/api/repositories/{repo_name}/tags (GET)\n/api/repositories/{repo_name}/tags/{tag}/manifest?version={version} (GET)\n/api/repositories/{repo_name/{tag}/labels (GET)\n/api/projects?project_name={name} (HEAD)\n/api/projects/{project_id}/summary (GET)\n/api/projects/{project_id}/logs (GET)\n/api/projects/{project_id} (GET, PUT, DELETE)\n/api/projects/{project_id}/metadatas (GET, POST)\n/api/projects/{project_id}/metadatas/{metadata_name} (GET, PUT)\n\n# Known Attack Vectors\nSuccessful exploitation of this issue will lead to bad actors identifying which resources exist in Harbor without requiring authentication for the Harbor API.\n\n# Patches\nIf your product uses the affected releases of Harbor, update to version 1.10.3 or 2.0.1 to patch this issue immediately.\n\nhttps://github.com/goharbor/harbor/releases/tag/v1.10.3\nhttps://github.com/goharbor/harbor/releases/tag/v2.0.1\n\n# Workarounds\nThere is no known workaround\n\n# For more information\nIf you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io\nView our security policy at https://github.com/goharbor/harbor/security/policy",
  "id": "GHSA-q9x4-q76f-5h5j",
  "modified": "2023-01-10T15:48:41Z",
  "published": "2022-02-11T23:17:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q9x4-q76f-5h5j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.