CVE-2024-22244

Name of the Vulnerable Software and Affected Versions Harbor versions 2.8.4 and earlier Harbor versions 2.9.2 and earlier Harbor versions 2.10.0 and earlier

Description The issue concerns an Open Redirect in Harbor under OIDC authentication mode, where a redirect url parameter in the URL can be used to redirect a user to a malicious site after a successful OIDC login. This can pose a potential risk if a user clicks a URL with a malicious redirect url. The redirect url can be an ambiguous URL and can be used to embed a phishing URL. For example, a URL like https://<harbor hostname>/c/oidc/login?redirect url=https://<redirect domain> might redirect the user without their knowledge to a malicious site.

Recommendations For Harbor versions 2.8.4 and earlier, update to Harbor 2.8.5 or later. For Harbor versions 2.9.2 and earlier, update to Harbor 2.9.3 or later. For Harbor versions 2.10.0 and earlier, update to Harbor 2.10.1 or later. As a temporary workaround, when Harbor is configured with OIDC authentication, warn the user not to log into Harbor through external links. Consider implementing a check to ensure the redirect url is a local path when reading it from the original request URL, similar to the fix implemented in the oidc.go file.