VU#577436: Hard coded credentials vulnerability in GoHarbor's Harbor
GoHarbor's Harbor, an open-source container registry, uses a default admin password risking security. The default credentials are "admin" and "Harbor12345," set in the harbor.yml configuration. Harbor doesn't mandate password changes upon initial setup or login, thus leaving the system vulnerable. An attacker with the known default password gains full administrative control, which puts the registry at risk. Such control allows overwriting images, initiating supply-chain attacks, and potentially enabling remote code execution. Attackers can establish persistent access and disable security features to accomplish their goals. Sensitive images can be stolen or destructive actions like data deletion can occur, leading to service disruption. To mitigate risk, operators must change the default password immediately after deployment. This can be done via the interface or by setting the harbor_admin_password during installation. A fix is proposed, removing or randomizing default credentials to enhance security:
harbor_admin_passwordduring installation. A fix is proposed, removing or randomizing default credentials to enhance security: