Exposed Docker Registry
TL;DR
I discovered an unauthenticated Docker registry at https://hub.docker.target.com. The registry permits unauthenticated enumeration of repositories and tags, downloading manifests and blobs, and therefore exposes image contents and metadata. If writable (or if push operations are allowed), an attacker could upload, overwrite, or delete images β creating high-impact risks (supply-chain compromise, sensitive data leakage, or service disruption).
Affected scope
https://hub.docker.target.com(publicly reachable Docker registry)Example endpoints observed:
/v2/_catalogβ list of repositories/v2/<repo>/tags/listβ list tags for a repository/v2/<repo>/manifests/<tag>β manifest for a tag/v2/<repo>/blobs/<digest>β blob download
Impact (summary)
Information disclosure: Attackers can enumerate all available repositories and tags, then download manifests and blobs to inspect image contents (secrets, credentials, config files, internal scripts).
Supply-chain & integrity risk: If the registry allows unauthenticated writes (not verified during my read-only checks), attackers could upload malicious images, replace legitimate images, or delete images.
Operational disruption: Overwritten or deleted images can break automated deployments, CI/CD pipelines, or production systems relying on those images.
Reputation & compliance: Exposure of internal artifacts may violate data-handling policies and client/vendor agreements.
Steps to reproduce
1. List repositories
https://hub.docker.secureworks.com/v2/_catalog
2. List tags for a repository
curl -sS https://hub.docker.target.com/v2/amazon/aws-cli/tags/list
3. Get manifest for a tag
htps://hub.docker.secureworks.com/v2/amazon/aws-cli/manifests/latest
4. Execute
curl https://hub.docker.secureworks.com/v2/amazon/aws-cli/blobs/sha256:9d9bb2fcda3420a3035903ea0dddf892553d461f2e175f74328fd30a9a00c40b --output c.tar
Last updated