The Oxeye security research team found several high–severity insecure direct object reference (IDOR) vulnerabilities in Harbor, an open–source artifact registry developed by the Cloud Native Computing Foundation (CNCF) and VMWare.
The company explained that the five flaws were discovered despite Harbor having implemented role–based access control (RBAC) on most HTTP endpoints.
One of them reportedly led to webhook policy disclosure, while another led to the disclosure of job execution logs.
“Managing access to operations and resources can be a challenging goal,” explained Oxeye in an advisory about the new vulnerabilities.
“Using an RBAC–based approach to a project has several benefits. It simplifies creating repeatable assignments of permissions to entities and makes auditing user privileges easier with respect to tracking potential issues.”
While several tutorials have been written about correctly incorporating RBAC in applications, Oxeye believes many of them lack context about how to harness the power of RBAC to prevent IDOR vulnerabilities.
“Every new API endpoint that your application exposes should use the strictest role available – that is, limit the role to only the required permissions without excessive ones that might be abused,” said the Oxeye advisory.
According to the company, implementing new API endpoints should be followed by a comprehensive test that simulates how a threat actor would break the suggested permission model.
“For example, if the application exposes an endpoint that resets a user’s password, simulate what would happen if a user would call this API endpoint from the context of a different user.”
Because of these limitations in implementation, Oxeye said RBAC is not a silver bullet, and that following security best practices is crucial to keeping applications safe from IDOR vulnerabilities.
“The quality of the open source software we and our community develop and the commercial distributions we and our partners distribute is vital to us and to the organizations that use it,” says Roger Klorese, product line manager at Project Harbor, VMware.
“We are grateful to Oxeye and its researchers for their diligence in finding vulnerabilities and their excellent collaboration in helping us address them.”
The fixed Harbor vulnerabilities come weeks after VMware released patches to fix a severe security flaw in its VMware Tools suite of utilities.