CNCF’s Harbor (cloud native registry) fixes an information disclosure bug discovered by ElevenPaths (CVE-2020-29662)

Javier Provecho    10 February, 2021
CNCF’s Harbor (cloud native registry) fixes an information disclosure bug discovered by ElevenPaths (CVE-2020-29662)

On December 2nd, ElevenPaths’ CTO SRE team discovered an unauthenticated API within Harbor, a cloud native registry part of the CNCF. It is commonly used as an agnostic Docker registry and Helm artifact server across cloud native deployments. In this article I’ll explain how to reproduce this vulnerability and what impact it has on the software and data stored within Harbor.

The affected API was the v2 catalog. This API lists all the resources available within the registry. It can only be accessed as an adminstrator.

If the request contains an extra trailing slash, it is still handled by the catalog API but bypassing the authorization.

A bug was detected at the auth middleware, responsible for identifying the intents of each request and authorizing them later. This middleware is executed prior to any other handler in beego, the router used by Harbor. This router executes the same handler for request’s patterns with and without trailing slash.

The auth middleware uses regex patterns to identify the intent of each request. In the case of the catalog API, the pattern didn’t match a request with a trailing slash, therefore not assigning any intent and authorizing the request by default.

Harbor Project has released patches for 2.0.* and 2.1.*. However if accesing them is not posible, redirecting the catalog API to an HTTP sink is recommended as an alternative.

Patching is encouraged to avoid unidentified actors to explore instances discovered by crawling services like Shodan.


  • 12/02/2020. Vulnerability discovered and reported to Harbor Security mailing list.
  • 12/03/2020. Vulnerability confirmed by Harbor Security Team.
  • 12/17/2020. Harbor releases patches 2.0.5. and 2.1.2., fixing the vulnerability.

Leave a Reply

Your email address will not be published.