IFT Disclosed Report

Bug bounty report Status

Critical Unauthorized Repository Access in Harbor

Company
Created date
May 30 2025

Target

*.status.im

Vulnerability Details

The vulnerability allows an unauthenticated attacker to access the contents of private Docker image repositories in Harbor without having to authenticate.

Harbor (versions 1.x.x through 2.5.3) contains a critical access control vulnerability that allows any unauthenticated user to download private and public container images stored in the registry. The attack is carried out via a publicly available API that does not require authorization. This leaks source code, private keys, passwords, configuration files and other sensitive data critical to the company. ( attached P0C)

Harbor is not just an “image warehouse” but a key component of the IT infrastructure where business-critical data is stored. A compromise of this data = a threat to the entire business!

Remediation Steps Upgrade Harbor to Version 2.6.0 or Later Limit Harbor’s web interface and API access to trusted IP addresses only. Enable Logging and Monitoring

Unfortunately, I can't attach all the photos because of the restriction, so I will add them through comments.

Validation steps

  1. https://github.com/404tk/CVE-2022-46463/blob/main/harbor.py
  2. Create file harbor.py
  3. Run python3 harbor.py https://harbor.status.im/ --dump_all

the script will download everything in the docker container without authorization to the cache folder on your server

Attachments

9.png
8.png
6.png
7.png
5.png
CommentsReport History
Details
Statedisclosed
Severity
None
Bounty$0
Visibilitypartially
VulnerabilityAuthentication Bypass
Participants (3)
company admin
triage team