Harbor Unauthorized Access Vulnerability
Description
Harbor is an open source cloud native registry that stores, signs, and scans container images and other artifacts.
This vulnerability occurs when a Harbor registry instance is exposed to the public internet without proper access controls, allowing unauthorized users to access the registry interface and potentially sensitive repository information. Public exposure of Harbor registries is a common misconfiguration that can lead to information disclosure and unauthorized access to container images.
Remediation
Implement the following access controls to secure your Harbor registry:
1. Configure network-level restrictions to limit access to trusted IP ranges or networks using firewall rules or security groups
2. Enable authentication requirements for all Harbor operations by ensuring anonymous access is disabled in the Harbor configuration
3. Implement a VPN or private network connection for users who need to access the registry remotely
4. Use reverse proxy with authentication (such as OAuth2, LDAP, or OIDC) to add an additional authentication layer
5. Regularly audit Harbor access logs to detect unauthorized access attempts
6. If public access is required for specific repositories, use Harbor's project-level access controls to limit exposure to only necessary public repositories while keeping others private