CVE-2020-13788 — Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-1

Description

Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.

How to fix CVE-2020-13788

To remediate CVE-2020-13788, upgrade the affected package to a fixed version below.

—upgrade to 2.0.1 or later
—upgrade to 2.0.1 or later
—upgrade to 2.0.1+incompatible or later

Is CVE-2020-13788 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.0.1
>= 1.8.0, < 2.0.1
>= 1.8.0, < 2.0.1+incompatible

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13788
WEBgithub.com/goharbor/harbor/releases
WEBgithub.com/goharbor/harbor/security/advisories/GHSA-33p6-fx42-7rf5
WEBwww.soluble.ai/blog/harbor-ssrf-cve-2020-13788
WEB