Non-critical severity vulnerability in Harbor (CVE-2020-13794) #security
Attention Harbor users,
A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432
The vulnerability has already been fixed in the newly released v2.1.0 and v2.0.3. Please upgrade to these versions as soon as possible. If you have any concerns about this timeline, please reach out to us.
Dutch Government Security Team has discovered an enumeration vulnerability that lists all users with their respective user_IDs when doing authenticated API calls (basic auth) to "/api/users/search?username=_"
curl -X GET "https://harbor.diensten.test.REDACTED.nl/api/users/search?username=_" -H "accept: application/json" --user REDACTED@...
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.
Known Attack Vectors
Successful exploitation of this issue will lead to enumeration of users and their IDs
This is already patched in the v2.1.0 released today but we will also make the fix available in the upcoming v2.0.3
For more information
View our security policy at https://github.com/goharbor/harbor/security/policy
If you have any questions or comments about this advisory, please contact cncf-harbor-security@...