DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PRH4-VHFH-24MJ: GHSA-PRH4-VHFH-24MJ: Information Exposure in Harbor Configuration Audit Logs

#security #cve #cybersecurity #ghsa

GHSA-PRH4-VHFH-24MJ: Information Exposure in Harbor Configuration Audit Logs

Vulnerability ID: GHSA-PRH4-VHFH-24MJ
CVSS Score: 5.3
Published: 2026-03-26

Harbor, an open-source cloud native registry, contains a Moderate severity vulnerability (CWE-532) in its audit logging subsystem. The application relies on an incomplete blacklist to redact sensitive data from configuration payloads. This failure causes LDAP passwords, specifically ldap_search_password, and OpenID Connect (OIDC) client secrets to be written to the database in plain text within the operation description field. This vulnerability allows authorized users with audit log access to retrieve enterprise directory credentials.

TL;DR

Harbor fails to properly redact sensitive configuration parameters from its audit logs. This exposes LDAP and OIDC credentials in plain text to any user with audit log read access, requiring an upgrade to version 2.15.0 and immediate rotation of exposed secrets.

Technical Details

  • Vulnerability Class: CWE-532: Insertion of Sensitive Information into Log File
  • Attack Vector: Authenticated Application Access (Audit Logs)
  • Impact: Exposure of External Directory Credentials (LDAP/OIDC)
  • Exploit Status: Unexploited / No Public PoC
  • Fix Approach: Deny-all / Complete Payload Removal from Logs
  • Key Vulnerable Component: src/pkg/auditext/event/config/config.go

Affected Systems

  • Harbor Container Registry (< 2.15.0)
  • Harbor: < 2.15.0 (Fixed in: 2.15.0)

Code Analysis

Commit: 85e7564

Fix: Adopt a deny-all approach for configuration audit logs by replacing payload interpolation with a static string.

Mitigation Strategies

  • Upgrade to Harbor v2.15.0 or later to completely remove configuration request payloads from audit logging.
  • Purge or manually redact historical configuration update entries within the audit_log database table.
  • Enforce the principle of least privilege for the LDAP service account used by Harbor.
  • Proactively monitor logs for unauthorized access attempts originating from Harbor-associated service accounts.

Remediation Steps:

  1. Identify the current version of Harbor running in your environment.
  2. Pull the Harbor v2.15.0 (or newer) release and apply the upgrade according to official documentation.
  3. Connect to the Harbor backing database and query the audit_log table for rows where the op_desc field contains sensitive configuration data.
  4. Delete or obfuscate the identified legacy log entries.
  5. Generate new LDAP bind passwords and OIDC client secrets.
  6. Update the new credentials in the Harbor management interface to ensure directory synchronization is maintained.

References

Read the full report for GHSA-PRH4-VHFH-24MJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)