"High Severity Vulnerabilities Found in Harbor Open-Source Artifact Registry"
Oxeye security researchers have discovered a number of new high severity Insecure Director Object Reference (IDOR) vulnerabilities in the Cloud Native Computing Foundation (CNCF)-graduated project Harbor, VMware's popular open-source artifact registry. Harbor is a cloud native registry open-source project that stores, signs, and scans content. It can work with different Docker registries to provide security features like user management, access control, and activity auditing. IDOR is an access control vulnerability that occurs when an application employs user-supplied input to directly access objects. It is a high severity threat and the most serious web application security risk on the most recent OWASP top 10 list. Failures in access control typically result in unauthorized information disclosure, modification, data deletion, or the performance of business functions beyond a user's limits. IDOR was discovered in VMware's Harbor during this research, which allows users to better manage their application artifacts. In most cases, having Role-Based Access Control (RBAC) in place is a best practice against IDOR vulnerabilities, but this study tested that theory with surprising results. The Harbor IDOR vulnerability allows unauthorized disclosure of webhook policies. Harbor enables users to set up webhook policies to receive notifications when certain events occur in the repository, such as when a new artifact is pushed or an existing one is deleted. A Harbor user can view the details of the created webhook policies after adding a webhook policy. The vulnerability occurred in this example because Harbor only tried to validate that the requesting user had access to the project ID specified in the request. However, it failed to validate that the requested webhook ID was associated with the specified project ID. This article continues to discuss the IDOR vulnerabilities found in Harbor.