logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-20902 github.com/goharbor/harbor

Package

Manager: go
Name: github.com/goharbor/harbor
Vulnerable Version: >=0 <1.10.18 || >=2.0.0 <2.7.3 || >=2.8.0 <2.8.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00298 pctl0.52657

Details

Harbor timing attack risk In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69 To avoid this issue, constant time comparison should be used. ``` subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 ``` ### Impact This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High. The jobservice exposes these APIs ``` Create a job task --- POST /api/v1/jobs Get job task information --- GET /api/v1/jobs/{job_id} Stop job task --- POST /api/v1/jobs/{job_id} Get job log task --- GET /api/v1/jobs/{job_id}/log Get job execution --- GET /api/v1/jobs/{job_id}/executions Get job stats --- GET /api/v1/stats Get job service configuration --- GET /api/v1/config ``` It is used to create jobs/stop job tasks and retrieve job task information. If an attacker obtains the secrets, it is possible to retrieve the job information, create a job, or stop a job task. The following versions of Harbor are involved: <=Harbor 2.8.2, <=Harbor 2.7.2, <= Harbor 2.6.x, <=Harbor 1.10.17 ### Patches Harbor 2.8.3, Harbor 2.7.3, Harbor 1.10.18 ### Workarounds Because the jobservice only exposes HTTP service to harbor-core containers, blocking any inbound traffic from the external network to the jobservice container can reduce the risk. ### Credits Thanks to Porcupiney Hairs for reporting this issue.

Metadata

Created: 2023-10-10T21:29:02Z
Modified: 2023-11-09T16:38:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-mq6f-5xh5-hgcf/GHSA-mq6f-5xh5-hgcf.json
CWE IDs: ["CWE-208", "CWE-362"]
Alternative ID: GHSA-mq6f-5xh5-hgcf
Finding: F063
Auto approve: 1