CVE-2022-31667
published 2024-11-14CVE-2022-31667: Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By…
PriorityP335medium6.4CVSS 3.1
AVNACLPRLUINSCCNILAL
EPSS
0.50%
39.0th percentile
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 1.0.0 < 1.10.13 | 1.10.13 |
| github.com | goharbor_harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| github.com | goharbor_harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
| linuxfoundation | harbor | — | — |
| linuxfoundation | harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| linuxfoundation | harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Harbor fails to validate the user permissions when updating a robot account
ghsa·2022-09-16
CVE-2022-31667 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating a robot account
Harbor fails to validate the user permissions when updating a robot account
### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesn’t have access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a robot
account id and robot account name that belongs to a different project that the user
doesn’t have access to, it was possible to revoke the robot account permissions.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the
OSV
Harbor fails to validate the user permissions when updating a robot account
osv·2022-09-16
CVE-2022-31667 [MEDIUM] Harbor fails to validate the user permissions when updating a robot account
Harbor fails to validate the user permissions when updating a robot account
### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesn’t have access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a robot
account id and robot account name that belongs to a different project that the user
doesn’t have access to, it was possible to revoke the robot account permissions.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-14
Published