GHSA-5757-V49G-F6R7
Vulnerability from github – Published: 2024-06-02 22:32 – Updated: 2025-02-26 22:18Description
Under OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL. For example: if a user clicks the URL with a malicious redirect_url:
https://<harbor_hostnmae>/c/oidc/login?redirect_url=https://<redirect_domain>
It might redirect the current user without their knowledge to a malicious site, posing a potential risk. To avoid this issue, the redirect_url should be checked if it is a local path when reading it from the original request URL.
//src/core/controllers/oidc.go
...
redirectURL := oc.Ctx.Request.URL.Query().Get("redirect_url")
if !utils.IsLocalPath(redirectURL) {
log.Errorf("invalid redirect url: %v", redirectURL)
oc.SendBadRequestError(fmt.Errorf("cannot redirect to other site"))
return
}
if err := oc.SetSession(redirectURLKey, redirectURL); err != nil {
...
Impact
When Harbor is configured with OIDC authentication and users log in via a link outside the Harbor server, it might be vulnerable to an open redirect attack. This attack only involves the OIDC Harbor user, if the current Harbor instance is not configured with OIDC auth, the redirect_url doesn't exist and the Harbor instance is not vulnerable to the open redirect attack.
The following versions of Harbor are involved: <=Harbor 2.8.4, <=Harbor 2.9.2, <= Harbor 2.10.0
Patches
Harbor 2.8.5, Harbor 2.9.3, Harbor 2.10.1
Workarounds
When the Harbor is configured with OIDC authentication, warn the user not to log into the Harbor through external links.
References
N/A
Credit
Thanks Arnaud Cordier (arnaud@cordier.work)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22244"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-02T22:32:32Z",
"nvd_published_at": "2024-06-10T23:15:49Z",
"severity": "MODERATE"
},
"details": "### Description\nUnder OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL.\nFor example: if a user clicks the URL with a malicious redirect_url:\n```\nhttps://\u003charbor_hostnmae\u003e/c/oidc/login?redirect_url=https://\u003credirect_domain\u003e\n```\nIt might redirect the current user without their knowledge to a malicious site, posing a potential risk.\nTo avoid this issue, the redirect_url should be checked if it is a local path when reading it from the original request URL. \n```\n//src/core/controllers/oidc.go\n...\nredirectURL := oc.Ctx.Request.URL.Query().Get(\"redirect_url\")\nif !utils.IsLocalPath(redirectURL) {\n log.Errorf(\"invalid redirect url: %v\", redirectURL)\n oc.SendBadRequestError(fmt.Errorf(\"cannot redirect to other site\"))\n return\n}\nif err := oc.SetSession(redirectURLKey, redirectURL); err != nil {\n...\n```\n### Impact\nWhen Harbor is configured with OIDC authentication and users log in via a link outside the Harbor server, it might be vulnerable to an open redirect attack. This attack only involves the OIDC Harbor user, if the current Harbor instance is not configured with OIDC auth, the redirect_url doesn\u0027t exist and the Harbor instance is not vulnerable to the open redirect attack.\n\nThe following versions of Harbor are involved:\n\u003c=Harbor 2.8.4, \u003c=Harbor 2.9.2, \u003c= Harbor 2.10.0\n\n### Patches\nHarbor 2.8.5, Harbor 2.9.3, Harbor 2.10.1\n\n### Workarounds\nWhen the Harbor is configured with OIDC authentication, warn the user not to log into the Harbor through external links.\n\n### References\nN/A\n\n### Credit\nThanks Arnaud Cordier (arnaud@cordier.work)",
"id": "GHSA-5757-v49g-f6r7",
"modified": "2025-02-26T22:18:08Z",
"published": "2024-06-02T22:32:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22244"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2915"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open Redirect URL in Harbor"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.