Harbor is a popular open-source enterprise-class registry server that can store, sign, and scan images on top of controlling access and activity auditing, and can be integrated with Docker Registry and Google Container Registry. Researchers found a critical vulnerability (CVE-2019-16097) affecting versions 1.7.0 through 1.8.2 that, if exploited would allow for control of Harbor registries with the default configuration. A malicious request can be sent to a vulnerable machine allowing the attacker to register a new user with admin privileges. A simple POST request to “/api/users” that contains a payload with user details and adding the ‘HasAdminRole’ parameter is all it takes. “If we send the same request with “had_admin_role” = “True,” then the user that will be created will be an admin. It’s as simple as that,” said researchers. Researchers developed a PoC code written in Python which sends the request and once it is executed, the attacker is able to log into the Harbor registry remotely. Open Harbor instances were searched for and 2,500 were found. Out of those, 1,300 were deemed vulnerable. If attackers are able to exploit the vulnerability, they can infect projects or even delete them.
Although a patch was made available which addresses the vulnerability, users are suggested to download and use the new versions of Harbor which were released as versions 1.7.6 and 1.8.3.