Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware.
Harbor is an open-source cloud native registry project that stores, signs, and scans content. It can integrate with various Docker registries to provide security features such as user management, access control, and activity auditing.
Classified as an access control vulnerability, IDOR occurs when an application uses user-supplied input to access objects directly. IDOR is a high severity threat and is considered to be the most serious web application security risk on the most current OWASP top 10 list.
The IDOR vulnerability in Harbor leads to the disclosure of webhook policies without authorization. Harbor allows users to configure webhook policies to receive notifications about certain events in the repository, e.g., when a new artifact is pushed or when an existing one is deleted. Once a webhook policy is added, a Harbor user may view details of the created webhook policies.
In this example, the vulnerability occurred because Harbor only attempted to validate that the requesting user had access to the project ID specified in the request. But it failed to validate that the requested webhook ID belonged to the specified project ID.