Harbor versions prior to v2.0.1 were vulnerable to a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.
Harbor is an open source container registry created by VMware and later contributed to the CNCF. At the time of writing, Harbor has more than twelve thousand stars on GitHub and many prominent industry partners.
This vulnerability was patched in Harbor v2.0.1, released on June 30, 2020.
In Harbor versions prior to v2.0.1, non-administrative users who own a project can configure webhooks, as shown below:
Using the "Endpoint URL" field, an attacker can define an arbitrary hostname. Upon a user clicking the "Test Endpoint" button, the Harbor server is sends an HTTP request to the user-specified Endpoint URL.
While the attacker cannot control the content of the request, nor view the resulting response, it is possible to abuse this functionality to perform TCP scans of RFC1918 hosts on the Harbor server's internal network.
Test it yourself!
If you would like to set up your own Harbor server and proxy to test as we did in our video above, see our blog post for Cinderella, free and ephemeral Kubernetes clusters which are perfect for situations like this. Here's our video on creating a Cinderella cluster and deploying Harbor and mitmproxy using our open source kubectl plugin, kubetap:
4/13/2020 - Vulnerability identified by Matt Hamilton @ Soluble
4/14/2020 - Vulnerability reported to Harbor team
6/08/2020 - Vulnerability patched in git
6/30/2020 - Vulnerability fix tagged in release v2.0.1
7/15/2020 - Public disclosure