CVE-2023-20902 - Timing Attack in Harbor Allows Unauthorized Job Task Actions
TL;DR: CVE-2023-20902 is a significant security vulnerability found in various Harbor versions, including 2.6.x and older, 2.7.2 and older, 2.8.2 and older, and 1.10.17 and older. This bug, due to a timing issue, lets attackers with simple network access interact with jobs — even if they're not authorized. This means changing job states, stopping jobs, and stealing job task info. If you run an affected Harbor instance, patch right away.
🚢 What is Harbor?
Harbor is a popular open-source container image registry, designed to store, scan, sign, and manage images, typically used in cloud-native and Kubernetes environments.
🛑 The Problem: A Timing Attack on Job Task APIs
Harbor’s jobservice handles important background tasks like replication, scanning, and garbage collection. The CVE-2023-20902 vulnerability is a “race condition” bug—meaning there’s a window where unauthorized users can trick Harbor into granting access to job APIs. This bug isn’t about passwords; it’s about hitting job APIs at just the right moment.
Create (trigger) new job tasks.
- Stop/cancel running job tasks.
Let’s see what this looks like in the real world
> *Assume: Attacker has network access (not even user credentials) to Harbor’s API endpoint.*
Sample Exploit — Stopping Someone Else's Job
import requests
# Replace with Harbor's API endpoint and job task ID
HARBOR_URL = 'https://your-harbor.example.com/api/v2.';
JOBTASK_ID = '12345'
# No authentication!
endpoint = f'{HARBOR_URL}/jobs/{JOBTASK_ID}/stop'
response = requests.post(endpoint)
if response.status_code == 200:
    print("Job stopped! Unauthorized access successful!")
else:
    print(f"Exploit failed. HTTP status {response.status_code}")
The API isn’t supposed to allow unauthenticated POSTs.
- Due to a race/timing bug, right in the small window after Harbor starts a job or updates permissions, an outside attacker can submit commands successfully.
Vendor Advisory:
Harbor Security Advisories: CVE-2023-20902
NVD Entry:
Example Analysis and POC:
Harbor Issue #17223 *(for technical context)*
This bug is fixed in later versions.
> Check the official releases for your upgrade path.
📝 Final Thoughts
CVE-2023-20902 is dangerous because it’s easy to exploit, needs _no credentials_, and lets attackers tamper with important background jobs. In container environments, this can turn an image registry into a point of failure or open the way for a lateral attack.
Patch now! And always audit your exposed API endpoints.
More Resources
- Read the official Harbor documentation
- More on race conditions – Wikipedia
- Container security best practices
Timeline
Published on: 11/09/2023 01:15:07 UTC
Last modified on: 11/16/2023 16:43:24 UTC