CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
44.7%
Hidde Smit from Cyber Eagle has discovered an User Enumeration flaw in Harbor. The issue is present in the “/users” api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the “search” functionality.
Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with parameter “username” and value “_”, as follows:
curl -X GET "https://<host>/api/users/search?username=_" -H "accept: application/json" --user <user>:<password>
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched. With the patched versions of Harbor, the username is required for search and we have removed the support for querying by email.
If your product uses the affected releases of Harbor, update to either version 2.1.0 or 2.0.3 to fix this issue immediately
https://github.com/goharbor/harbor/releases/tag/v2.1.0
https://github.com/goharbor/harbor/releases/tag/v2.0.3
There is no workaround for this issue
If you have any questions or comments about this advisory, contact [email protected]
View our security policy at https://github.com/goharbor/harbor/security/policy
https://vulners.com/cve/CVE-2020-13794
github.com/advisories/GHSA-q9p8-33wc-h432
github.com/goharbor/harbor/releases
github.com/goharbor/harbor/releases/tag/v2.0.3
github.com/goharbor/harbor/releases/tag/v2.1.0
github.com/goharbor/harbor/security/advisories/GHSA-q9p8-33wc-h432
nvd.nist.gov/vuln/detail/CVE-2020-13794
www.cybereagle.io/blog/cve-2020-13794/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
44.7%