CVE-2020-13788
published 2020-07-15CVE-2020-13788: Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's…
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
1.28%
66.4th percentile
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 1.8.0 < 2.0.1 | 2.0.1 |
| github.com | goharbor_harbor | >= 1.8.0 < 2.0.1+incompatible | 2.0.1+incompatible |
| linuxfoundation | harbor | < 2.0.1 | 2.0.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor
osv·2024-08-21·CVSS 4.3
CVE-2020-13788 [MEDIUM] Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor
GHSA
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
ghsa·2022-02-11·CVSS 4.3
CVE-2020-13788 [MEDIUM] CWE-918 Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
# Impact
Matt Hamilton from Soluble has discovered a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.
The vulnerability was immediately fixed by the Harbor team.
# Issue
The “Test Endpoint” API, part of the functionality for ensuring a project Webhook is accessible and functional, is vulnerable to a limited SSRF attack. A malicious user that is also a project administrator can use this API for internal port scanning.
# Known Attack Vectors
Successful exploitation of this issue will lead to bad actors identifying open TCP ports on any network that is accessible by the Harbor core services
# Patches
If
OSV
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
osv·2022-02-11·CVSS 4.3
CVE-2020-13788 [MEDIUM] Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
# Impact
Matt Hamilton from Soluble has discovered a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.
The vulnerability was immediately fixed by the Harbor team.
# Issue
The “Test Endpoint” API, part of the functionality for ensuring a project Webhook is accessible and functional, is vulnerable to a limited SSRF attack. A malicious user that is also a project administrator can use this API for internal port scanning.
# Known Attack Vectors
Successful exploitation of this issue will lead to bad actors identifying open TCP ports on any network that is accessible by the Harbor core services
# Patches
If
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-07-15
Published