Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Docker Registry API is accessible without authentication - Vulnerability Database

Docker Registry API is accessible without authentication

Description

The Docker Registry HTTP API provides a standardized interface for storing and distributing container images. This API should require authentication before allowing access to registry operations.

This vulnerability exists when a Docker Registry is accessible without any authentication mechanism. A properly secured registry must return an HTTP 401 Unauthorized response when accessing the /v2/ endpoint without credentials, along with a WWW-Authenticate header that specifies the required authentication method (such as basic authentication or token-based authentication). When authentication is not enforced, the registry allows unrestricted access to all API endpoints.

Remediation

Implement authentication on the Docker Registry immediately to prevent unauthorized access. Follow these steps:

1. Enable Basic Authentication (recommended for quick deployment):
- Create a password file using htpasswd:

mkdir -p /auth
htpasswd -Bc /auth/htpasswd username

- Configure the registry to use basic authentication by adding to your registry configuration or Docker Compose file:
docker run -d \
  -p 5000:5000 \
  --name registry \
  -v /auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  registry:2

2. Implement Token-Based Authentication (recommended for production):
- Deploy an authentication service that implements the Docker Registry token authentication specification
- Configure the registry to validate tokens from your authentication service

3. Network-Level Protection:
- If the registry is only used internally, restrict access using firewall rules or network policies
- Place the registry behind a reverse proxy (nginx, Traefik) with authentication

4. Verify the configuration:
- Test that accessing https://your-registry/v2/ returns HTTP 401
- Confirm that the WWW-Authenticate header is present in the response
- Verify that valid credentials allow proper access

Refer to the official Docker Registry documentation for detailed authentication configuration options.

References

Restricting access
Anatomy of a hack: Docker Registry

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

High

Classification

CWE-287
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Configuration