Search criteria
69 vulnerabilities found for harbor by linuxfoundation
FKIE_CVE-2022-31671
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:40
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u00a0could read all the job logs stored in the Harbor database."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al leer y actualizar los registros de ejecuci\u00f3n de trabajos a trav\u00e9s de los registros de ejecuci\u00f3n de precalentamiento P2P. Al enviar una solicitud que intenta leer o actualizar los registros de ejecuci\u00f3n de precalentamiento P2P y especificar diferentes identificadores de trabajo, los usuarios autenticados malintencionados podr\u00edan leer todos los registros de trabajo almacenados en la base de datos de Harbor."
}
],
"id": "CVE-2022-31671",
"lastModified": "2024-11-19T15:40:44.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:17.250",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
},
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31670
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:20
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A003057-D07D-42FC-823E-750DE181D14D",
"versionEndExcluding": "1.10.13",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating tag retention policies.\u00a0\n\nBy sending a request to update a tag retention policy with an id that belongs to a project\u00a0that the currently authenticated user doesn\u2019t have access to, the attacker could modify\ntag retention policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de retenci\u00f3n de etiquetas. Al enviar una solicitud para actualizar una pol\u00edtica de retenci\u00f3n de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de retenci\u00f3n de etiquetas configuradas en otros proyectos."
}
],
"id": "CVE-2022-31670",
"lastModified": "2024-11-19T15:20:54.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:17.040",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31668
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:25
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de precalentamiento P2P. Al enviar una solicitud para actualizar una pol\u00edtica de precalentamiento P2P con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de precalentamiento P2P configuradas en otros proyectos."
}
],
"id": "CVE-2022-31668",
"lastModified": "2024-11-19T15:25:25.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 3.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.607",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31666
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2025-02-28 22:15
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users.\u00a0\u00a0The attacker could modify Webhook policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de los usuarios al eliminar pol\u00edticas de Webhook, lo que permite que usuarios malintencionados vean, actualicen y eliminen pol\u00edticas de Webhook de otros usuarios. El atacante podr\u00eda modificar pol\u00edticas de Webhook configuradas en otros proyectos."
}
],
"id": "CVE-2022-31666",
"lastModified": "2025-02-28T22:15:21.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.083",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8hwq-5f22-jfr3"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31669
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:20
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating tag immutability policies.\u00a0\n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn\u2019t have access to, the attacker could\nmodify tag immutability policies configured in other projects."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar las pol\u00edticas de inmutabilidad de etiquetas. Al enviar una solicitud para actualizar una pol\u00edtica de inmutabilidad de etiquetas con un ID que pertenece a un proyecto al que el usuario autenticado actualmente no tiene acceso, el atacante podr\u00eda modificar las pol\u00edticas de inmutabilidad de etiquetas configuradas en otros proyectos."
}
],
"id": "CVE-2022-31669",
"lastModified": "2024-11-19T15:20:01.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.817",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-31667
Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2024-11-19 15:25
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14BEA987-A012-4745-A79A-7BCF5E9CD567",
"versionEndExcluding": "2.4.3",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B643770-6018-4D81-B386-91011E437F0D",
"versionEndExcluding": "2.5.2",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Harbor fails to validate the user permissions when updating a robot account that\u00a0belongs to a project that the authenticated user doesn\u2019t have access to.\u00a0\n\nBy sending a request that attempts to update a robot account, and specifying a robot\u00a0account id and robot account name that belongs to a different project that the user\u00a0doesn\u2019t have access to, it was possible to revoke the robot account permissions."
},
{
"lang": "es",
"value": "Harbor no puede validar los permisos de usuario al actualizar una cuenta de robot que pertenece a un proyecto al que el usuario autenticado no tiene acceso. Al enviar una solicitud que intenta actualizar una cuenta de robot y especificar un ID y un nombre de cuenta de robot que pertenecen a un proyecto diferente al que el usuario no tiene acceso, fue posible revocar los permisos de la cuenta de robot."
}
],
"id": "CVE-2022-31667",
"lastModified": "2024-11-19T15:25:29.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T12:15:16.390",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-22278
Vulnerability from fkie_nvd - Published: 2024-08-02 01:15 - Updated: 2024-08-14 22:15
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
References
| URL | Tags | ||
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E90E376-D680-4DB6-90B9-81B7144C287F",
"versionEndExcluding": "2.9.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BFE92EA-3C83-4C23-BDB3-FDDCAF9A6BA8",
"versionEndExcluding": "2.10.3",
"versionStartIncluding": "2.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
},
{
"lang": "es",
"value": " La validaci\u00f3n de permisos de usuario incorrecta en Harbor "
}
],
"id": "CVE-2024-22278",
"lastModified": "2024-08-14T22:15:04.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-02T01:15:23.077",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-22261
Vulnerability from fkie_nvd - Published: 2024-06-11 00:15 - Updated: 2025-02-27 15:14
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Summary
SQL-Injection in Harbor allows priviledge users to leak the task IDs
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A5F0D1B-6415-4FCE-B1A1-B063C291AD24",
"versionEndExcluding": "2.8.6",
"versionStartIncluding": "2.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F4F7A5-1A16-4BAD-9890-DA65E0CC9638",
"versionEndExcluding": "2.9.4",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "429DE716-B324-4AB0-B423-BE27288E33BB",
"versionEndExcluding": "2.10.2",
"versionStartIncluding": "2.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL-Injection in Harbor allows priviledge users to leak the task IDs"
},
{
"lang": "es",
"value": "La inyecci\u00f3n SQL en Harbour permite a los usuarios con privilegios filtrar los ID de las tareas"
}
],
"id": "CVE-2024-22261",
"lastModified": "2025-02-27T15:14:51.320",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-11T00:15:13.790",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-566"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-22244
Vulnerability from fkie_nvd - Published: 2024-06-10 23:15 - Updated: 2025-02-26 20:32
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | 2.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E81DFF8-F3FB-41BC-A1AD-09063DCF8431",
"versionEndExcluding": "2.8.5",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "302F9780-20A5-4FFD-ABAC-3BD1A79A3037",
"versionEndExcluding": "2.9.3",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:2.10.0:-:*:*:*:*:*:*",
"matchCriteriaId": "79CFD0F5-0830-42FD-8B39-2D2A68F6B79F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in Harbor\u00a0 \u003c=v2.8.4, \u003c=v2.9.2, and \u003c=v2.10.0 may redirect a user to a malicious site."
},
{
"lang": "es",
"value": "Open Redirect en Harbor \u0026lt;=v2.8.4, \u0026lt;=v2.9.2 y \u0026lt;=v2.10.0 puede redirigir a un usuario a un sitio malicioso."
}
],
"id": "CVE-2024-22244",
"lastModified": "2025-02-26T20:32:37.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-10T23:15:49.590",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@vmware.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-20902
Vulnerability from fkie_nvd - Published: 2023-11-09 01:15 - Updated: 2024-11-21 07:41
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
References
| URL | Tags | ||
|---|---|---|---|
| security@vmware.com | https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * | |
| linuxfoundation | harbor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "225BD7C9-8163-410E-80C3-25FA2DB3E17F",
"versionEndExcluding": "1.10.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "752DA342-ED60-4E9E-BB1B-B73CE61A95FF",
"versionEndIncluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB5FC66-7E27-4199-9E68-698F222039F9",
"versionEndExcluding": "2.7.3",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D7140D-E5FB-4A2E-85D2-48BF5AB512C5",
"versionEndExcluding": "2.8.3",
"versionStartIncluding": "2.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
},
{
"lang": "es",
"value": "Una condici\u00f3n de sincronizaci\u00f3n en Harbor 2.6.x y anteriores, Harbor 2.7.2 y anteriores, Harbor 2.8.2 y anteriores y Harbor 1.10.17 y anteriores permite a un atacante con acceso a la red crear trabajos/detener tareas de trabajo y recuperar informaci\u00f3n de tareas de trabajo. ."
}
],
"id": "CVE-2023-20902",
"lastModified": "2024-11-21T07:41:47.283",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-09T01:15:07.660",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-31668 (GCVE-0-2022-31668)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:56 – Updated: 2024-11-14 19:33
VLAI?
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Severity ?
7.4 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T18:53:45.416941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:33:24.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating p2p preheat policies.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:56:31.043Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User permission validation failure and disclosure of P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31668",
"datePublished": "2024-11-14T11:56:31.043Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T19:33:24.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31667 (GCVE-0-2022-31667)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:50 – Updated: 2024-11-14 14:11
VLAI?
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Severity ?
6.4 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:48.659302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:11:06.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating a robot account that\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebelongs to a project that the authenticated user doesn\u2019t have access to.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request that attempts to update a robot account, and specifying a robot\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eaccount id and robot account name that belongs to a different project that the user\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edoesn\u2019t have access to, it was possible to revoke the robot account permissions.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating a robot account that\u00a0belongs to a project that the authenticated user doesn\u2019t have access to.\u00a0\n\nBy sending a request that attempts to update a robot account, and specifying a robot\u00a0account id and robot account name that belongs to a different project that the user\u00a0doesn\u2019t have access to, it was possible to revoke the robot account permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:50:48.289Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating a robot account",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31667",
"datePublished": "2024-11-14T11:50:48.289Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T14:11:06.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31669 (GCVE-0-2022-31669)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:48 – Updated: 2024-11-15 17:30
VLAI?
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
Severity ?
6.4 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:30:12.401196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:30:33.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag immutability policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag immutability policy with an id that belongs to a\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eproject that the currently authenticated user doesn\u2019t have access to, the attacker could\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodify tag immutability policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag immutability policies.\u00a0\n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn\u2019t have access to, the attacker could\nmodify tag immutability policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:48:03.444Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag immutability policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31669",
"datePublished": "2024-11-14T11:48:03.444Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-15T17:30:33.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31670 (GCVE-0-2022-31670)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:45 – Updated: 2024-11-14 14:09
VLAI?
Summary
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.
Severity ?
7.7 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:09:30.950454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:09:48.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag retention policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag retention policy with an id that belongs to a project\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethat the currently authenticated user doesn\u2019t have access to, the attacker could modify\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003etag retention policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag retention policies.\u00a0\n\nBy sending a request to update a tag retention policy with an id that belongs to a project\u00a0that the currently authenticated user doesn\u2019t have access to, the attacker could modify\ntag retention policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:45:22.257Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag retention policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31670",
"datePublished": "2024-11-14T11:45:22.257Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:09:48.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31671 (GCVE-0-2022-31671)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:42 – Updated: 2024-11-14 14:10
VLAI?
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
Severity ?
7.4 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:09.378741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:27.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;could read all the job logs stored in the Harbor database.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u00a0could read all the job logs stored in the Harbor database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:42:22.373Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"
},
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when reading and updating job execution logs through the P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31671",
"datePublished": "2024-11-14T11:42:22.373Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:10:27.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31666 (GCVE-0-2022-31666)
Vulnerability from cvelistv5 – Published: 2024-11-14 11:32 – Updated: 2024-11-14 14:10
VLAI?
Summary
Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects.
Severity ?
7.7 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:29.115679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:46.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users.\u0026nbsp;\u0026nbsp;T\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe attacker could modify Webhook policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users.\u00a0\u00a0The attacker could modify Webhook policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:32:32.600Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8hwq-5f22-jfr3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate user permissions while Viewing, updating and deleting Webhook policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31666",
"datePublished": "2024-11-14T11:32:32.600Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T14:10:46.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22278 (GCVE-0-2024-22278)
Vulnerability from cvelistv5 – Published: 2024-08-02 00:59 – Updated: 2024-08-14 21:35
VLAI?
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Severity ?
6.4 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T16:14:46.125656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T16:15:02.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "harbor",
"vendor": "harbor",
"versions": [
{
"lessThan": "\u003cv2.9.5",
"status": "affected",
"version": "2.9.4",
"versionType": "custom"
},
{
"lessThan": "\u003cv2.10.3",
"status": "affected",
"version": "2.10.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect user permission validation in Harbor \u0026lt;v2.9.5 and Harbor \u0026lt;v2.10.3 allows authenticated users to modify configurations."
}
],
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T21:35:37.751Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating project configurations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22278",
"datePublished": "2024-08-02T00:59:55.313Z",
"dateReserved": "2024-01-08T18:43:18.959Z",
"dateUpdated": "2024-08-14T21:35:37.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22261 (GCVE-0-2024-22261)
Vulnerability from cvelistv5 – Published: 2024-06-10 23:25 – Updated: 2024-08-01 22:43
VLAI?
Summary
SQL-Injection in Harbor allows priviledge users to leak the task IDs
Severity ?
CWE
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T19:29:24.478745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T20:26:08.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Harbor",
"product": "Harbor",
"repo": "https://github.com/goharbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.5",
"status": "affected",
"version": "2.8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.3",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.1",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSQL-Injection in Harbor allows priviledge users to leak the task IDs\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL-Injection in Harbor allows priviledge users to leak the task IDs"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-566",
"description": "CWE-566",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:25:32.158Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection in Harbor scan log API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22261",
"datePublished": "2024-06-10T23:25:32.158Z",
"dateReserved": "2024-01-08T18:43:17.077Z",
"dateUpdated": "2024-08-01T22:43:34.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22244 (GCVE-0-2024-22244)
Vulnerability from cvelistv5 – Published: 2024-06-10 23:02 – Updated: 2024-08-01 22:43
VLAI?
Summary
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
Severity ?
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T18:31:28.512933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T18:31:37.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:33.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"repo": "https://github.com/goharbor/harbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.4",
"status": "affected",
"version": "2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.2",
"status": "unknown",
"version": "2.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.0",
"status": "affected",
"version": "2.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open Redirect in Harbor\u0026nbsp; \u0026lt;=v2.8.4, \u0026lt;=v2.9.2, and \u0026lt;=v2.10.0 may redirect a user to a malicious site."
}
],
"value": "Open Redirect in Harbor\u00a0 \u003c=v2.8.4, \u003c=v2.9.2, and \u003c=v2.10.0 may redirect a user to a malicious site."
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:02:59.347Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor Open Redirect URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22244",
"datePublished": "2024-06-10T23:02:59.347Z",
"dateReserved": "2024-01-08T18:43:03.535Z",
"dateUpdated": "2024-08-01T22:43:33.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20902 (GCVE-0-2023-20902)
Vulnerability from cvelistv5 – Published: 2023-11-09 00:36 – Updated: 2024-09-04 13:18
VLAI?
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
Severity ?
5.9 (Medium)
CWE
- In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.
Assigner
References
Impacted products
Credits
Thanks to Porcupiney Hairs for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:11:13.739344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:18:17.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Project",
"vendor": "Harbor",
"versions": [
{
"status": "affected",
"version": "\u003c=Harbor 2.6.x, \u003c=Harbor 2.7.2, \u003c=Harbor 2.8.2, \u003c=Harbor 1.10.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to Porcupiney Hairs for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u0026nbsp; Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \u003cbr\u003ecreate jobs/stop job tasks and retrieve job task information.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T00:36:25.369Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Timing attack risk in Harbor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20902",
"datePublished": "2023-11-09T00:36:25.369Z",
"dateReserved": "2022-11-01T15:41:50.396Z",
"dateUpdated": "2024-09-04T13:18:17.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31668 (GCVE-0-2022-31668)
Vulnerability from nvd – Published: 2024-11-14 11:56 – Updated: 2024-11-14 19:33
VLAI?
Summary
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
Severity ?
7.4 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31668",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T18:53:45.416941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:33:24.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating p2p preheat policies.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating p2p preheat policies.\u00a0By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn\u0027t have access to, the attacker could modify p2p preheat policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:56:31.043Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User permission validation failure and disclosure of P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31668",
"datePublished": "2024-11-14T11:56:31.043Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T19:33:24.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31667 (GCVE-0-2022-31667)
Vulnerability from nvd – Published: 2024-11-14 11:50 – Updated: 2024-11-14 14:11
VLAI?
Summary
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Severity ?
6.4 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:48.659302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:11:06.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating a robot account that\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebelongs to a project that the authenticated user doesn\u2019t have access to.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request that attempts to update a robot account, and specifying a robot\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eaccount id and robot account name that belongs to a different project that the user\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edoesn\u2019t have access to, it was possible to revoke the robot account permissions.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating a robot account that\u00a0belongs to a project that the authenticated user doesn\u2019t have access to.\u00a0\n\nBy sending a request that attempts to update a robot account, and specifying a robot\u00a0account id and robot account name that belongs to a different project that the user\u00a0doesn\u2019t have access to, it was possible to revoke the robot account permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:50:48.289Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating a robot account",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31667",
"datePublished": "2024-11-14T11:50:48.289Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T14:11:06.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31669 (GCVE-0-2022-31669)
Vulnerability from nvd – Published: 2024-11-14 11:48 – Updated: 2024-11-15 17:30
VLAI?
Summary
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
Severity ?
6.4 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31669",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:30:12.401196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:30:33.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag immutability policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag immutability policy with an id that belongs to a\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eproject that the currently authenticated user doesn\u2019t have access to, the attacker could\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodify tag immutability policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag immutability policies.\u00a0\n\nBy sending a request to update a tag immutability policy with an id that belongs to a\nproject that the currently authenticated user doesn\u2019t have access to, the attacker could\nmodify tag immutability policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:48:03.444Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag immutability policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31669",
"datePublished": "2024-11-14T11:48:03.444Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-15T17:30:33.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31670 (GCVE-0-2022-31670)
Vulnerability from nvd – Published: 2024-11-14 11:45 – Updated: 2024-11-14 14:09
VLAI?
Summary
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.
Severity ?
7.7 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:09:30.950454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:09:48.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate the user permissions when updating tag retention policies.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBy sending a request to update a tag retention policy with an id that belongs to a project\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethat the currently authenticated user doesn\u2019t have access to, the attacker could modify\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003etag retention policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Harbor fails to validate the user permissions when updating tag retention policies.\u00a0\n\nBy sending a request to update a tag retention policy with an id that belongs to a project\u00a0that the currently authenticated user doesn\u2019t have access to, the attacker could modify\ntag retention policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:45:22.257Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating tag retention policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31670",
"datePublished": "2024-11-14T11:45:22.257Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:09:48.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31671 (GCVE-0-2022-31671)
Vulnerability from nvd – Published: 2024-11-14 11:42 – Updated: 2024-11-14 14:10
VLAI?
Summary
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
Severity ?
7.4 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:09.378741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:27.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;could read all the job logs stored in the Harbor database.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users\u00a0could read all the job logs stored in the Harbor database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:42:22.373Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw"
},
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when reading and updating job execution logs through the P2P preheat execution logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31671",
"datePublished": "2024-11-14T11:42:22.373Z",
"dateReserved": "2022-05-25T23:31:47.419Z",
"dateUpdated": "2024-11-14T14:10:27.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31666 (GCVE-0-2022-31666)
Vulnerability from nvd – Published: 2024-11-14 11:32 – Updated: 2024-11-14 14:10
VLAI?
Summary
Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects.
Severity ?
7.7 (High)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:10:29.115679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:10:46.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Harbor 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"
}
]
}
],
"datePublic": "2022-08-30T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHarbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users.\u0026nbsp;\u0026nbsp;T\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe attacker could modify Webhook policies configured in other projects.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users.\u00a0\u00a0The attacker could modify Webhook policies configured in other projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T11:32:32.600Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-8hwq-5f22-jfr3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate user permissions while Viewing, updating and deleting Webhook policies",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-31666",
"datePublished": "2024-11-14T11:32:32.600Z",
"dateReserved": "2022-05-25T23:31:47.418Z",
"dateUpdated": "2024-11-14T14:10:46.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22278 (GCVE-0-2024-22278)
Vulnerability from nvd – Published: 2024-08-02 00:59 – Updated: 2024-08-14 21:35
VLAI?
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Severity ?
6.4 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T16:14:46.125656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T16:15:02.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "harbor",
"vendor": "harbor",
"versions": [
{
"lessThan": "\u003cv2.9.5",
"status": "affected",
"version": "2.9.4",
"versionType": "custom"
},
{
"lessThan": "\u003cv2.10.3",
"status": "affected",
"version": "2.10.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect user permission validation in Harbor \u0026lt;v2.9.5 and Harbor \u0026lt;v2.10.3 allows authenticated users to modify configurations."
}
],
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T21:35:37.751Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating project configurations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22278",
"datePublished": "2024-08-02T00:59:55.313Z",
"dateReserved": "2024-01-08T18:43:18.959Z",
"dateUpdated": "2024-08-14T21:35:37.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22261 (GCVE-0-2024-22261)
Vulnerability from nvd – Published: 2024-06-10 23:25 – Updated: 2024-08-01 22:43
VLAI?
Summary
SQL-Injection in Harbor allows priviledge users to leak the task IDs
Severity ?
CWE
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T19:29:24.478745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T20:26:08.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Harbor",
"product": "Harbor",
"repo": "https://github.com/goharbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.5",
"status": "affected",
"version": "2.8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.3",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.1",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSQL-Injection in Harbor allows priviledge users to leak the task IDs\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL-Injection in Harbor allows priviledge users to leak the task IDs"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-566",
"description": "CWE-566",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:25:32.158Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection in Harbor scan log API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22261",
"datePublished": "2024-06-10T23:25:32.158Z",
"dateReserved": "2024-01-08T18:43:17.077Z",
"dateUpdated": "2024-08-01T22:43:34.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22244 (GCVE-0-2024-22244)
Vulnerability from nvd – Published: 2024-06-10 23:02 – Updated: 2024-08-01 22:43
VLAI?
Summary
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
Severity ?
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T18:31:28.512933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T18:31:37.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:33.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"repo": "https://github.com/goharbor/harbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.4",
"status": "affected",
"version": "2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.2",
"status": "unknown",
"version": "2.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.0",
"status": "affected",
"version": "2.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open Redirect in Harbor\u0026nbsp; \u0026lt;=v2.8.4, \u0026lt;=v2.9.2, and \u0026lt;=v2.10.0 may redirect a user to a malicious site."
}
],
"value": "Open Redirect in Harbor\u00a0 \u003c=v2.8.4, \u003c=v2.9.2, and \u003c=v2.10.0 may redirect a user to a malicious site."
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:02:59.347Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor Open Redirect URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22244",
"datePublished": "2024-06-10T23:02:59.347Z",
"dateReserved": "2024-01-08T18:43:03.535Z",
"dateUpdated": "2024-08-01T22:43:33.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20902 (GCVE-0-2023-20902)
Vulnerability from nvd – Published: 2023-11-09 00:36 – Updated: 2024-09-04 13:18
VLAI?
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
Severity ?
5.9 (Medium)
CWE
- In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.
Assigner
References
Impacted products
Credits
Thanks to Porcupiney Hairs for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:11:13.739344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:18:17.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Project",
"vendor": "Harbor",
"versions": [
{
"status": "affected",
"version": "\u003c=Harbor 2.6.x, \u003c=Harbor 2.7.2, \u003c=Harbor 2.8.2, \u003c=Harbor 1.10.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to Porcupiney Hairs for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u0026nbsp; Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \u003cbr\u003ecreate jobs/stop job tasks and retrieve job task information.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T00:36:25.369Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Timing attack risk in Harbor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20902",
"datePublished": "2023-11-09T00:36:25.369Z",
"dateReserved": "2022-11-01T15:41:50.396Z",
"dateUpdated": "2024-09-04T13:18:17.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}