Non-critical severity vulnerability in Harbor (CVE-2020-13794) #security
|
Alex Xu
Attention Harbor users, A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432 The vulnerability has already been fixed in the newly released v2.1.0 and v2.0.3. Please upgrade to these versions as soon as possible. If you have any concerns about this timeline, please reach out to us. DescriptionDutch Government Security Team has discovered an enumeration vulnerability that lists all users with their respective user_IDs when doing authenticated API calls (basic auth) to "/api/users/search?username=_" CURL example: curl -X GET "https://harbor.diensten.test.REDACTED.nl/api/users/search?username=_" -H "accept: application/json" --user REDACTED@... The vulnerability was immediately fixed by the Harbor team and all supported versions were patched. Known Attack VectorsSuccessful exploitation of this issue will lead to enumeration of users and their IDs **PatchesThis is already patched in the v2.1.0 released today but we will also make the fix available in the upcoming v2.0.3 https://github.com/goharbor/harbor/releases/tag/v2.1.0 https://github.com/goharbor/harbor/releases/tag/v2.0.3 For more informationView our security policy at https://github.com/goharbor/harbor/security/policy If you have any questions or comments about this advisory, please contact cncf-harbor-security@... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13794 |
|
|