- Description: An attacker attempts to log in to the Harbor UI or API using default administrator usernames (e.g.,
admin) and common or default passwords. If successful, the attacker gains full administrative access to Harbor. - Impact: Complete compromise of the Harbor instance. Attacker can access, modify, delete all projects, images, users, and configurations. Can be used to inject malicious images, steal sensitive data, or disrupt services.
- Affected Harbor Component: UI, API, Authentication Service
- Risk Severity: Critical
- Mitigation Strategies:
- Change the default administrator password immediately upon initial setup.
- Enforce strong password policies for all users.
- Implement account lockout policies after multiple failed login attempts.
- Consider disabling default administrator accounts and creating role-based administrator accounts.
Threat: Insecure API Key Exposure
- Description: An attacker gains access to API keys that are stored insecurely (e.g., in plain text files, version control, or easily accessible locations). With a valid API key, the attacker can authenticate to the Harbor API and perform actions based on the key's permissions.
- Impact: Unauthorized access to Harbor API. Depending on the API key's scope, the attacker could pull/push images, manage projects, users, or even gain administrative privileges if the key is for an administrator account.
- Affected Harbor Component: API, Authentication Service
- Risk Severity: High
- Mitigation Strategies:
- Never store API keys in plain text or in version control systems.
- Utilize secure secrets management solutions (e.g., HashiCorp Vault, Kubernetes Secrets) to store and manage API keys.
- Implement short expiration times for API keys.
- Restrict API key scope to the minimum necessary permissions.
- Regularly rotate API keys.
Threat: RBAC Bypass Vulnerability
- Description: An attacker exploits a vulnerability in Harbor's Role-Based Access Control (RBAC) implementation to bypass authorization checks. This could allow a user with limited permissions to gain access to resources they should not be able to access, or escalate their privileges within Harbor.
- Impact: Unauthorized access to projects, repositories, or images within Harbor. Potential data breaches, image tampering, or deletion. Privilege escalation could lead to full Harbor compromise.
- Affected Harbor Component: Authorization Service, UI, API
- Risk Severity: High
- Mitigation Strategies:
- Keep Harbor updated to the latest version with security patches.
- Regularly review and audit RBAC configurations to ensure they are correctly implemented and enforced.
- Conduct penetration testing and security audits to identify potential RBAC bypass vulnerabilities.
- Follow the principle of least privilege when assigning roles to users and services.
- Description: An attacker, without proper authorization within Harbor's RBAC, is able to pull container images from private repositories. This could be due to misconfigured permissions or vulnerabilities in authorization checks within Harbor.
- Impact: Exposure of sensitive data or proprietary code contained within container images managed by Harbor. Intellectual property theft, data breaches, and potential competitive disadvantage.
- Affected Harbor Component: Registry, Authorization Service
- Risk Severity: High
- Mitigation Strategies:
- Strictly enforce RBAC within Harbor to control image pull access.
- Utilize private projects for sensitive images and carefully manage project membership within Harbor.
- Regularly review and audit project access policies within Harbor.
- Ensure proper authentication is required by Harbor for image pulls from private repositories.
- Description: An attacker with write access to a repository in Harbor (or through exploiting a vulnerability in Harbor) modifies existing container images or pushes malicious images. These compromised images could contain malware, backdoors, or vulnerabilities, and are then stored within Harbor.
- Impact: Deployment of compromised images from Harbor into production environments, leading to security breaches, data exfiltration, system compromise, and operational disruptions.
- Affected Harbor Component: Registry, Image Storage, Notary (if enabled)
- Risk Severity: Critical
- Mitigation Strategies:
- Enable content trust and image signing using Notary integration within Harbor to verify image integrity and origin.
- Implement mandatory vulnerability scanning for all images pushed to Harbor.
- Utilize image scanning policies within Harbor to prevent the pushing or pulling of images with critical vulnerabilities.
- Restrict write access to repositories in Harbor to only authorized and trusted users/services.
- Regularly audit image content and provenance within Harbor.
- Description: Due to misconfiguration or insufficient security measures in the storage backend used by Harbor to store container images (e.g., object storage, filesystem), an attacker gains unauthorized access. While the storage is external, Harbor is responsible for its secure configuration and access management.
- Impact: Direct access to all container images stored by Harbor, leading to a massive data breach. Exposure of sensitive data, proprietary code, and potential intellectual property theft.
- Affected Harbor Component: Image Storage (Configuration and Management by Harbor, though storage itself is external)
- Risk Severity: Critical
- Mitigation Strategies:
- Secure the storage backend used by Harbor with strong access controls and authentication, as per Harbor's documentation and best practices.
- Implement encryption at rest for stored images within the storage backend used by Harbor.
- Regularly audit storage access configurations and security posture of the storage backend used by Harbor.
- Harden the underlying infrastructure hosting the storage backend used by Harbor.
- Implement network segmentation to isolate the storage backend used by Harbor.
Threat: Registry Denial of Service (DoS)
- Description: An attacker floods the Harbor registry component with a large volume of image pull or push requests, or other API requests, overwhelming the Harbor server and causing it to become unresponsive or crash.
- Impact: Inability to pull or push images from Harbor, disrupting CI/CD pipelines, application deployments, and overall service availability that relies on Harbor.
- Affected Harbor Component: Registry, API, Load Balancer (if applicable)
- Risk Severity: High
- Mitigation Strategies:
- Implement rate limiting for API requests to Harbor to prevent excessive requests from a single source.
- Configure resource limits (CPU, memory) for Harbor components to prevent resource exhaustion.
- Utilize load balancing to distribute traffic across multiple Harbor registry instances.
- Implement network-level DoS protection mechanisms (e.g., firewalls, intrusion detection/prevention systems) in front of Harbor.
Threat: Unpatched Harbor Vulnerabilities
- Description: Known security vulnerabilities exist in Harbor or its components, but patches or updates are not applied in a timely manner. Attackers can exploit these known vulnerabilities within Harbor itself to compromise the Harbor instance.
- Impact: System compromise of the Harbor instance, data breaches (related to Harbor's data, configurations, or potentially images if vulnerabilities allow), denial of service, and other security incidents depending on the nature of the vulnerability in Harbor.
- Affected Harbor Component: All Harbor Components
- Risk Severity: Critical to High (depending on the vulnerability)
- Mitigation Strategies:
- Establish a robust vulnerability management process specifically for Harbor.
- Regularly monitor security advisories and release notes for Harbor.
- Promptly apply security patches and updates to Harbor as soon as they are released.
- Automate patching processes for Harbor where possible.
- Implement vulnerability scanning for the Harbor infrastructure itself.