CVE-2023-20902
published 2023-11-09CVE-2023-20902: A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network…
PriorityP335medium6.5CVSS 3.1
AVNACHPRNUINSUCHILAN
EPSS
0.37%
29.2th percentile
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 0 < 1.10.18 | 1.10.18 |
| github.com | goharbor_harbor | >= 2.0.0 < 2.7.3 | 2.7.3 |
| github.com | goharbor_harbor | >= 2.0.0+incompatible < 2.7.3+incompatible | 2.7.3+incompatible |
| github.com | goharbor_harbor | >= 2.8.0 < 2.8.3 | 2.8.3 |
| github.com | goharbor_harbor | >= 2.8.0+incompatible < 2.8.3+incompatible | 2.8.3+incompatible |
| harbor | project | — | — |
| linuxfoundation | harbor | < 1.10.17 | 1.10.17 |
| linuxfoundation | harbor | 2.6.0 – 2.6.4 | — |
| linuxfoundation | harbor | >= 2.7.0 < 2.7.3 | 2.7.3 |
| linuxfoundation | harbor | >= 2.8.0 < 2.8.3 | 2.8.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor timing attack risk in github.com/goharbor/harbor
osv·2024-08-21
CVE-2023-20902 Harbor timing attack risk in github.com/goharbor/harbor
Harbor timing attack risk in github.com/goharbor/harbor
Harbor timing attack risk in github.com/goharbor/harbor
GHSA
Harbor timing attack risk
ghsa·2023-10-10
CVE-2023-20902 [MEDIUM] CWE-208 Harbor timing attack risk
Harbor timing attack risk
In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
To avoid this issue, constant time comparison should be used.
```
subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0
```
### Impact
This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High.
The jobservice exposes these APIs
```
Create a job task --- POST /api/v1/jobs
Get job task information --- GET /api/v1/jobs/{job_id}
Stop job task --- POST /api/v1/jobs/{job_id}
Get job log task -
OSV
Harbor timing attack risk
osv·2023-10-10
CVE-2023-20902 [MEDIUM] Harbor timing attack risk
Harbor timing attack risk
In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
To avoid this issue, constant time comparison should be used.
```
subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0
```
### Impact
This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High.
The jobservice exposes these APIs
```
Create a job task --- POST /api/v1/jobs
Get job task information --- GET /api/v1/jobs/{job_id}
Stop job task --- POST /api/v1/jobs/{job_id}
Get job log task -
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-09
Published