Skip to content

Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)

Low severity GitHub Reviewed Published Jul 17, 2020 in goharbor/harbor • Updated Jan 9, 2023

Package

gomod github.com/goharbor/harbor (Go)

Affected versions

>= 1.8.0, < 2.0.1

Patched versions

2.0.1

Description

Impact

Matt Hamilton from Soluble has discovered a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.

The vulnerability was immediately fixed by the Harbor team.

Issue

The “Test Endpoint” API, part of the functionality for ensuring a project Webhook is accessible and functional, is vulnerable to a limited SSRF attack. A malicious user that is also a project administrator can use this API for internal port scanning.

Known Attack Vectors

Successful exploitation of this issue will lead to bad actors identifying open TCP ports on any network that is accessible by the Harbor core services

Patches

If your product uses the affected releases of Harbor, update to version 2.0.1 to patch this issue immediately.

https://github.com/goharbor/harbor/releases/tag/v2.0.1

Workarounds

Since only project administrators (the user that created the project) are allowed to test the webhook endpoints configured in Harbor, a Harbor system administrator can control who is a project admin. In addition, Harbor system administrators can enforce a setting where only an administrator is allowed to create new projects instead of the default Everyone. This further restricts who can be a project administrator in Harbor.

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@lists.cncf.io
View our security policy at https://github.com/goharbor/harbor/security/policy
https://nvd.nist.gov/vuln/detail/CVE-2020-13788
https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788

References

@michmike michmike published to goharbor/harbor Jul 17, 2020
Reviewed May 24, 2021
Published to the GitHub Advisory Database Feb 11, 2022
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.116%
(46th percentile)

Weaknesses

CVE ID

CVE-2020-13788

GHSA ID

GHSA-33p6-fx42-7rf5

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.