cbcvebase.
CVE-2022-31667
published 2024-11-14

CVE-2022-31667: Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By…

PriorityP335medium6.4CVSS 3.1
AVNACLPRLUINSCCNILAL
EPSS
0.50%
39.0th percentile
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comgoharbor_harbor>= 1.0.0 < 1.10.131.10.13
github.comgoharbor_harbor>= 2.0.0 < 2.4.32.4.3
github.comgoharbor_harbor>= 2.5.0 < 2.5.22.5.2
linuxfoundationharbor
linuxfoundationharbor>= 2.0.0 < 2.4.32.4.3
linuxfoundationharbor>= 2.5.0 < 2.5.22.5.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.