Critical Vulnerability in Harbor Gives Admin Access

Community Team Member

Unit 42 researcher Aviv Sasson identified a critical vulnerability that could be exploited to allow attackers to take over Harbor registries by sending malicious requests.

 

The privilege escalation vulnerability was uncovered when researching the Harbor project by the Cloud Native Computing Foundation projects (CNCF).

 

What is Harbor?

"Harbor is an open source cloud native registry that stores, signs, and scans container images for vulnerabilities" (goharbor.io, 2019). It integrates with Docker Hub, Docker Registry, Google Container Registry, and other registries.

 

The illustration below shows users and partners of Harbor.

Officially recognized users and partners of HarborOfficially recognized users and partners of Harbor.

 

The Vulnerability

The vulnerability, tracked as CVE-2019-16097, was said to impact versions 1.7.0 through 1.8.2.  It allows non-admin users to create admin accounts via the POST /api/users API simply by adding “has_admin_role” = “True" to a request payload.

 

The problem is serious! A performed scan showed that from the 2,500 online Harbors, 1,300 were found vulnerable!

 

The Patch

A patch has been included in versions 1.7.6 and 1.8.3 and was released on September 18, 2019. It includes a check that prevents non-admin users from creating a new admin user. All users are recommended to update their Harbor installations as soon as possible because this vulnerability is critical and gives anyone full access to their registry.

 

Read more about this Critical Vulnerability in Harbor on the Unit42 blog.

 

See also: Disallow creating an admin user when registration #8917

 

-Kiwi out!

336 Views
Ask Questions Get Answers Join the Live Community
Labels