{"id":"CVE-2020-13788","details":"Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.","aliases":["BIT-harbor-2020-13788","GHSA-33p6-fx42-7rf5","GO-2022-0781"],"modified":"2026-04-10T04:22:24.067145Z","published":"2020-07-15T21:15:12.300Z","references":[{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/releases"},{"type":"EVIDENCE","url":"https://www.soluble.ai/blog/harbor-ssrf-cve-2020-13788"},{"type":"EVIDENCE","url":"https://www.youtube.com/watch?v=v8Isqy4yR3Q"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/goharbor/harbor","events":[{"introduced":"0"},{"fixed":"d714b3ea8b1079504761d9657a54a1c1f7c38742"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.1"}]}}],"versions":["0.1.0","0.1.1","0.3.0","0.3.5","0.3.5-rc","0.4.0","0.4.1","0.4.5","0.5.0","0.5.0-rc1","0.5.0-rc2","1.1.0-rc1","1.1.0-rc2","v1.1.0","v1.1.0-rc3","v1.10.0-rc1","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.3.0-rc1","v1.4.0-rc1","v1.4.0-rc2","v1.7.0-rc1","v2.0.0","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.1-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13788.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}