Safe about issue: a wrong password login will effect a correct user to pull images #21224
Comments
|
For security reason, every failed login result in 1.5 second freeze time, it is an expected behaviour. |
|
Our harbor server has been attacked with this method, and we could not deploy apps on docker any more, because of pulling images always failed. |
|
If the attacker keeps requesting with the wrong password in this way constantly and continuously, then the normal user of this account will not be able to pull the image, resulting in the inability to deploy the application. |
|
You can select another username to do the pull operation. or check the core.log to find out the failed login's IP and terminate the application, maybe CI/CD-related logins. |
|
Isn't this rather infeasible? By using an incorrect password, one can attack a Harbor server, forcing them to abandon this account and use another one to work. Is this considered normal operation? |
Repeat it in these steps:
Using a correct account A to pull images continuously in a loop (on one computer).
Attempting to log in to account A with a wrong password continuously in a loop (on another computer).
then ,we'll see , the step 1 is pulling images can be effected , will not work okay( not ofen ,but some times will error).
We have verified that this issue exists in versions 2.7.x, 2.8.x, and 2.12.x.
The text was updated successfully, but these errors were encountered: