CVE-2020-29662

Name of the Vulnerable Software and Affected Versions: Harbor versions 2.0 through 2.0.4 Harbor versions 2.1.x through 2.1.1

Description: The catalog's registry API is exposed on an unauthenticated path, allowing bypass of authorization. The vulnerable API endpoint is "GET /v2/ catalog/" which can be accessed without authentication by adding a trailing slash to the path.

Recommendations: For Harbor versions 2.0 through 2.0.4, update to version 2.0.5 to fix this issue immediately. For Harbor versions 2.1.x through 2.1.1, update to version 2.1.2 to fix this issue immediately. As a temporary workaround, consider disabling the vulnerable API endpoint or redirecting it to a 404 sink hole in the ingress if updating to a patched version is not possible.