CVE-2019-19030

Name of the Vulnerable Software and Affected Versions Harbor versions 1.10.3 and earlier, Harbor versions 2.x before 2.0.1

Description The issue allows unauthenticated API calls to reveal whether a resource exists via the HTTP status code, enabling resource enumeration. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance and work out which resources exist and which do not. This provides them with information such as existing projects, repositories, etc. The following API resources were found to be vulnerable to enumeration attacks: "/api/chartrepo/{repo}/prov" (POST), "/api/chartrepo/{repo}/charts" (GET, POST), "/api/chartrepo/{repo}/charts/{name}" (GET, DELETE), "/api/chartrepo/{repo}/charts/{name}/{version}" (GET, DELETE), "/api/labels?name={name}&scope=p" (GET), "/api/repositories?project id={id}" (GET), "/api/repositories/{repo name}/" (GET, PUT, DELETE), "/api/repositories/{repo name}/tags" (GET), "/api/repositories/{repo name}/tags/{tag}/manifest?version={version}" (GET), "/api/repositories/{repo name}/{tag}/labels" (GET), "/api/projects?project name={name}" (HEAD), "/api/projects/{project id}/summary" (GET), "/api/projects/{project id}/logs" (GET), "/api/projects/{project id}" (GET, PUT, DELETE), "/api/projects/{project id}/metadatas" (GET, POST), and "/api/projects/{project id}/metadatas/{metadata name}" (GET, PUT).

Recommendations Update to version 1.10.3 or 2.0.1 to patch this issue immediately. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable API endpoints in the affected Harbor instances until the issue is resolved.