CVE-2023-20902

Name of the Vulnerable Software and Affected Versions Harbor versions 2.6.x and earlier Harbor versions 2.7.2 and earlier Harbor versions 2.8.2 and earlier Harbor versions 1.10.17 and earlier

Description A timing condition in Harbor allows an attacker with network access to create jobs, stop job tasks, and retrieve job task information. The vulnerability occurs due to the comparison of secrets in the authenticator type being prone to timing attacks. The jobservice exposes several APIs, including "POST /api/v1/jobs" to create a job task, "GET /api/v1/jobs/{job id}" to get job task information, and "POST /api/v1/jobs/{job id}" to stop a job task. If an attacker obtains the secrets, it is possible to retrieve job information, create a job, or stop a job task.

Recommendations For Harbor versions 2.6.x and earlier, update to Harbor 2.8.3 or later. For Harbor versions 2.7.2 and earlier, update to Harbor 2.7.3 or later. For Harbor versions 2.8.2 and earlier, update to Harbor 2.8.3 or later. For Harbor versions 1.10.17 and earlier, update to Harbor 1.10.18 or later. As a temporary workaround, consider blocking any inbound traffic from the external network to the jobservice container to reduce the risk.