Timing attack risk in Harbor
Description
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A timing condition in Harbor allows attackers with network access to create/stop job tasks and retrieve job task information.
Vulnerability
Overview
CVE-2023-20902 is a vulnerability in Harbor, an open-source cloud-native container registry. A timing condition (a race condition) affects Harbor versions 2.6.x and below, 2.7.2 and below, 2.8.2 and below, and 1.10.17 and below [1][2]. This flaw allows an attacker with network access to create or stop job tasks, as well as retrieve job task information [2].
Exploitation
Prerequisites
An attacker must have network access to the Harbor instance, but no authentication or special privileges are explicitly required in the description [2]. The root cause is a timing condition, likely in the job service API authenticator or job task management, which can be exploited to perform unauthorized job operations [4].
Impact
Successful exploitation enables an attacker to create or stop job tasks and retrieve job task information, which could lead to disruption of normal operations, information disclosure about task details, or potential further abuse of the job service [2].
Mitigation
Patched versions include Harbor 2.7.3 and later releases in the 2.7 branch, as well as corresponding fixed versions for other branches [3]. Users are advised to upgrade to a patched version immediately. There is no mention of workarounds in the provided references.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | < 1.10.18 | 1.10.18 |
github.com/goharbor/harborGo | >= 2.0.0, < 2.7.3 | 2.7.3 |
github.com/goharbor/harborGo | >= 2.8.0, < 2.8.3 | 2.8.3 |
Affected products
3- osv-coords2 versions
< 1.10.17+ 1 more
- (no CPE)range: < 1.10.17
- (no CPE)range: < 1.10.18
- Harbor/Projectv5Range: <=Harbor 2.6.x, <=Harbor 2.7.2, <=Harbor 2.8.2, <=Harbor 1.10.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-mq6f-5xh5-hgcfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-20902ghsaADVISORY
- github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.goghsaWEB
- github.com/goharbor/harbor/releases/tag/v1.10.18ghsaWEB
- github.com/goharbor/harbor/releases/tag/v2.7.3ghsaWEB
- github.com/goharbor/harbor/releases/tag/v2.8.3ghsaWEB
- github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcfghsaWEB
News mentions
0No linked articles in our index yet.