CVE-2023-20902 in harbor
Summary
by MITRE • 11/09/2023
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a critical timing condition flaw that affects multiple versions of the Harbor container registry platform. The issue stems from insufficient synchronization mechanisms during job creation and task management operations, creating a window where malicious actors can exploit temporal inconsistencies in the system's job processing pipeline. The vulnerability is particularly concerning as it allows remote attackers with network access to manipulate the registry's job scheduling system, potentially leading to unauthorized job creation and termination activities.
The technical implementation of this timing condition occurs at the application layer where Harbor's job management service fails to properly validate or synchronize concurrent job operations. Attackers can leverage this weakness by rapidly submitting job creation requests and stopping job tasks in a coordinated manner, effectively disrupting normal registry operations and potentially gaining unauthorized access to job task information. This timing-based attack vector operates by exploiting race conditions in the job management subsystem, where the system's inability to properly sequence or validate concurrent operations creates exploitable states.
The operational impact of this vulnerability extends beyond simple service disruption, as it compromises the integrity of Harbor's job execution environment. An attacker can potentially access sensitive job task information, including execution parameters, status details, and potentially even underlying system credentials or configuration data. This exposure could enable more sophisticated attacks such as privilege escalation or data exfiltration through compromised job processes. The vulnerability affects all versions up to and including the specified releases, indicating a persistent flaw in the platform's job management architecture that has not been adequately addressed in the maintenance releases.
Security implications of this timing condition align with CWE-367, which addresses time-of-check to time-of-use vulnerabilities, and can be mapped to ATT&CK technique T1059.001 for execution through job scheduling manipulation. Organizations using Harbor versions affected by this vulnerability should immediately implement network segmentation controls to limit access to the registry's administrative endpoints. The recommended mitigations include upgrading to patched versions of Harbor, implementing strict access controls on job management APIs, and deploying monitoring solutions to detect anomalous job creation patterns. Additionally, organizations should consider implementing rate limiting and request validation mechanisms to prevent rapid-fire job operations that could exploit the timing condition, while maintaining proper audit logging to track all job management activities for security analysis purposes.