CNCF Harbor ORM Leak Vulnerability in User Password Hash Disclosure

A vulnerability exists in CNCF Harbor versions 2.13.x prior to 2.13.1 and 2.12.x prior to 2.12.4, allowing administrators to exploit an Object-Relational Mapping (ORM) leak in the '/api/v2.0/users' endpoint. This vulnerability enables the leakage of users' password hashes and salt values. The 'q' URL parameter can be manipulated to filter users by any column, including passwords, thereby extracting password hashes character by character. This issue could lead to the unauthorized disclosure of sensitive information stored in the Harbor database.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of users' password hashes and salt values, allowing for potential password cracking and unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, an administrator can send a POST request to the '/api/v2.0/users' endpoint with the 'q' URL parameter set to filter by the 'password' column. By using a regular expression that matches the beginning of the password hash, the attacker can leak the password hash character by character. This exploitation can be automated with a script that iterates through the characters of the password hash.

Remediation

Users can upgrade to CNCF Harbor versions 2.13.1 or 2.12.4, where this vulnerability has been patched.