Harbor Open Redirect URL

CVE-2024-22244 is an open redirect vulnerability in the Harbor container registry, affecting versions <=2.8.4, <=2.9.2, and <=2.10.0. The flaw exists in the OIDC authentication flow, where the redirect_url parameter is not properly validated before redirecting the user after a successful login [2]. This allows an attacker to supply an arbitrary external URL, causing the browser to navigate to a malicious site.

To exploit this vulnerability, an attacker must craft a link containing a malicious redirect_url parameter, such as https://<harbor_host>/c/oidc/login?redirect_url=https://<attacker_site>. If a user clicks this link and completes OIDC authentication, they are redirected to the attacker-controlled site without their knowledge. The attack only works when Harbor is configured with OIDC authentication; instances without OIDC are not affected [3].

The impact is a classic open redirect, which can be leveraged for phishing attacks, credential theft, or other social engineering schemes. An attacker could trick users into visiting a look-alike login page or a site hosting malware, potentially compromising their accounts or systems.

Harbor has released patches in versions 2.8.5, 2.9.3, and 2.10.1 that validate the redirect_url to ensure it is a local path [3]. As a workaround, administrators should warn users not to log in via external links when OIDC is enabled. Users are strongly advised to upgrade to the latest patched version to mitigate the risk.