CVE-2022-46463 - Unauthorized Access to Public and Private Image Repositories in Harbor v1.X.X to v2.5.3

DISCLAIMER: The following content is DISPUTED by the vendor, as they consider it a documented feature. Please verify the information for your use case accordingly.

Summary

A vulnerability was identified in Harbor, an open-source container image registry, that allows unauthorized access to both public and private image repositories without authentication. This issue has been present since the initial release of Harbor v1.X.X and is still affecting the latest version, v2.5.3. However, the vendor has disputed the vulnerability claim, stating that this behavior is intentional and documented as a feature.

Affected Versions: Harbor v1.X.X to v2.5.3

Exploitable Environments: Any installation of the affected versions of Harbor.

Impact: Unauthorized access to public and private image repositories without authentication, potentially leading to sensitive information disclosure and unauthorized actions.

Technical Description

Harbor is a popular container image registry, commonly used by organizations to store container images used for deploying applications. Harbor can be configured to store both public and private image repositories.

According to the report, in the affected versions, it is possible to access both public and private repositories without any form of authentication. The following code snippet demonstrates exercising this vulnerability:

import requests

# Set the target Harbor instance URL
url = "https://harbor.example.com/v2/";

# Set the repository name
repo_name = "private-repo"

# Send a request to the target Harbor instance
response = requests.get(url + repo_name + "/tags/list")

# Print the JSON response
print(response.json())

This code snippet sends an HTTP GET request to the Harbor instance requesting the list of tags from the specified repository. Despite the repository being marked as private, the request successfully returns the list of tags without requiring any form of authentication.

It is important to note that the vendor has disputed this vulnerability claim, stating that this behavior is intentional and documented as a feature. The vendor's documentation on this topic can be found here:

Harbor Documentation - Managing Repositories Visibility

Mitigation

As the vendor claims that this behavior is a feature, the issue could be mitigated through proper configuration that takes into account the visibility settings of repositories. When setting up your Harbor instance, ensure that all private image repositories are properly configured to require authentication, and that the access control settings are fine-tuned according to your organization's security policies.

In conclusion, while the identified behavior may or may not be a legitimate vulnerability, it could lead to unintended consequences if not properly understood and configured. Administrators of Harbor installations should review their repository configurations and verify that access controls are correctly set to prevent unauthorized access to private image repositories.

Timeline

Published on: 01/13/2023 00:15:00 UTC
Last modified on: 01/24/2023 16:17:00 UTC