Attention Harbor users,

A new Harbor security advisory has been published at https://github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432

The vulnerability has already been fixed in the newly released v2.1.0 and v2.0.3.  Please upgrade to these versions as soon as possible.   If you have any concerns about this timeline, please reach out to us.

Description

Dutch Government Security Team has discovered an enumeration vulnerability that lists all users with their respective user_IDs when doing authenticated API calls (basic auth) to "/api/users/search?username=_"

CURL example:

curl -X GET "https://harbor.diensten.test.REDACTED.nl/api/users/search?username=_" -H "accept: application/json" --user REDACTED@...

The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

Successful exploitation of this issue will lead to enumeration of users and their IDs

**Patches

This is already patched in the v2.1.0 released today but we will also make the fix available in the upcoming v2.0.3

https://github.com/goharbor/harbor/releases/tag/v2.1.0

https://github.com/goharbor/harbor/releases/tag/v2.0.3

For more information

View our security policy at https://github.com/goharbor/harbor/security/policy

If you have any questions or comments about this advisory, please contact cncf-harbor-security@...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13794