Harbor · Harbor · CVE-2024-22244
**Name of the Vulnerable Software and Affected Versions**
Harbor versions 2.8.4 and earlier
Harbor versions 2.9.2 and earlier
Harbor versions 2.10.0 and earlier
**Description**
The issue concerns an Open Redirect in Harbor under OIDC authentication mode, where a `redirect url` parameter in the URL can be used to redirect a user to a malicious site after a successful OIDC login. This can pose a potential risk if a user clicks a URL with a malicious `redirect url`. The `redirect url` can be an ambiguous URL and can be used to embed a phishing URL. For example, a URL like `https://<harbor hostname>/c/oidc/login?redirect url=https://<redirect domain>` might redirect the user without their knowledge to a malicious site.
**Recommendations**
For Harbor versions 2.8.4 and earlier, update to Harbor 2.8.5 or later.
For Harbor versions 2.9.2 and earlier, update to Harbor 2.9.3 or later.
For Harbor versions 2.10.0 and earlier, update to Harbor 2.10.1 or later.
As a temporary workaround, when Harbor is configured with OIDC authentication, warn the user not to log into Harbor through external links.
Consider implementing a check to ensure the `redirect url` is a local path when reading it from the original request URL, similar to the fix implemented in the `oidc.go` file.