The Oxeye research team discovered several dangerous IDOR vulnerabilities in the open-source Harbor artifact registry developed by the Cloud Native Computing Foundation (CNCF) and VMWare.
The company explained that the five flaws were discovered despite Harbor implementing role-based access control (RBAC) on most HTTP endpoints.
One reportedly led to the disclosure of the webhook policy, while the other led to the disclosure of job execution logs.
“Managing access to operations and resources can be a challenge,” Oxy explained in advisory about new vulnerabilities.
“Using an RBAC-based design approach has several advantages. This simplifies the creation of reassignments of permissions to objects and facilitates the auditing of user privileges in relation to tracking potential problems.”
While several tutorials have been written on how to properly enable RBAC in applications, Oxeye believes that many of them lack context on how to use the power of RBAK to prevent IDOR vulnerabilities.
“Each new API endpoint that your application exposes should use the strictest of available roles, that is, limit the role to only necessary permissions without excessive permissions that can be abused,” Oxeye’s guidance states.
According to the company, the implementation of new API endpoints should be accompanied by a comprehensive test that simulates how a threat actor would violate the proposed authorization model.
“For example, if an application exposes an endpoint that resets a user’s password, model what would happen if a user called that API endpoint from another user’s context.”
Because of these implementation limitations, Oxeye said that RBAC is not a silver bullet and that following security best practices is critical to protecting applications from IDOR vulnerabilities.
“The quality of the open source software that we and our community develop, and the commercial distributions that we and our partners distribute, is of vital importance to us and the organizations that use it,” says Roger Clorez, Product Line Manager Project Harbor, VMware.
“We are grateful to Oxeye and its researchers for their diligence in finding vulnerabilities and their excellent cooperation in helping us eliminate them.”
The fixed Harbor vulnerabilities came weeks after VMware patches released to fix a serious security flaw in its VMware Tools suite of utilities.
