Researchers have discovered a security vulnerability in Harbor cloud native registry. As revealed, a critical bug existed in Harbor container registry that could allow an attacker gain admin user privileges. Though Harbor has patched the flaw, still, hundreds of registries are vulnerable to the attack until updated.
Harbor Container Vulnerability
A researcher from Unit 42 Palo Alto Networks found a critical security vulnerability affecting Harbor container registry. Exploiting the bug could allow an adversary to gain admin access to the registries.
Specifically, the attacker could register a new user whilst sending a POST request to “/api/users” that includes user details and
HasAdminRole parameter. As stated in the blog post, doing so is quite simple.
We can send a request and add the parameter “
If we send the same request with
has_admin_role = True, then the user that will be created will be an admin.
The attacker could then sign-in with this new account to gain admin access. Consequently, the attacker could perform a variety of activities including registering new admin users, downloading and inspecting private projects, and replacing images with malware and crypto miners.
Harbor Released A Patch
The researcher could confirm at least 1300 registries vulnerable to this flaw. The vulnerability affected the Harbor versions 1.7.0 – 1.8.2.
Following the discovery, Harbor released a fix for this flaw with versions 1.7.6 and 1.8.3. The patch includes a check for non-admin users to create admin accounts while registering.
Users must ensure updating to the latest versions to stay protected from any exploit. Whereas, to know a possible hacking attack, users can look for unrecognized admin users on their Harbor instance.
Let us know your thoughts in the comments.
Latest posts by Abeerah Hashim (see all)
- Nitro PDF Suffered A Data Breach Impacting Google, Apple, Amazon, And More - October 28, 2020
- Malicious Apps Repeatedly Bypassed Apple App Notarization - October 26, 2020
- French IT Firm Sopra Steria Suffered Ransomware Attack - October 26, 2020