Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE5cDgtMzN3Yy1oNDMy
Authenticated users can exploit an enumeration vulnerability in Harbor
Impact
Hidde Smit from Cyber Eagle has discovered an User Enumeration flaw in Harbor. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality.
Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with parameter "username" and value "_", as follows:
curl -X GET "https://<host>/api/users/search?username=_" -H "accept: application/json" --user <user>:<password>
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched. With the patched versions of Harbor, the username is required for search and we have removed the support for querying by email.
Patches
If your product uses the affected releases of Harbor, update to either version 2.1.0 or 2.0.3 to fix this issue immediately
https://github.com/goharbor/harbor/releases/tag/v2.1.0
https://github.com/goharbor/harbor/releases/tag/v2.0.3
Workarounds
There is no workaround for this issue
For more information
If you have any questions or comments about this advisory, contact [email protected]
View our security policy at https://github.com/goharbor/harbor/security/policy
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13794
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE5cDgtMzN3Yy1oNDMy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-q9p8-33wc-h432, CVE-2020-13794
References:
- https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432
- https://nvd.nist.gov/vuln/detail/CVE-2020-13794
- https://github.com/goharbor/harbor/releases
- https://github.com/goharbor/harbor/releases/tag/v2.0.3
- https://www.cybereagle.io/blog/cve-2020-13794/
- https://github.com/goharbor/harbor/releases/tag/v2.1.0
- https://github.com/advisories/GHSA-q9p8-33wc-h432
Blast Radius: 2.6
Affected Packages
go:github.com/goharbor/harbor
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: < 2.0.3
Fixed in: 2.0.3
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 2.0.0, 2.0.1, 2.0.2
All unaffected versions: 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.10.0, 2.10.1, 2.10.2