CVE-2023-20902

Summary

A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,  Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.

Affected Software

VendorProductVersion RangeStatus
HarborProject<=Harbor 2.6.x, <=Harbor 2.7.2, <=Harbor 2.8.2, <=Harbor 1.10.17affected

Weaknesses

  • In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References