CVE-2022-31669
published 2024-11-14CVE-2022-31669: Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that…
PriorityP343high7.7CVSS 3.1
AVNACLPRLUINSCCNIHAN
EPSS
0.40%
31.4th percentile
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 1.0.0 < 1.10.13 | 1.10.13 |
| github.com | goharbor_harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| github.com | goharbor_harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
| linuxfoundation | harbor | — | — |
| linuxfoundation | harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| linuxfoundation | harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Harbor fails to validate the user permissions when updating tag immutability policies
ghsa·2022-09-16
CVE-2022-31669 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating tag immutability policies
Harbor fails to validate the user permissions when updating tag immutability policies
### Impact
Harbor fails to validate the user permissions when updating tag immutability policies - API call:
PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repo
OSV
Harbor fails to validate the user permissions when updating tag immutability policies
osv·2022-09-16
CVE-2022-31669 [MEDIUM] Harbor fails to validate the user permissions when updating tag immutability policies
Harbor fails to validate the user permissions when updating tag immutability policies
### Impact
Harbor fails to validate the user permissions when updating tag immutability policies - API call:
PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesn’t have access to, the attacker could
modify tag immutability policies configured in other projects.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-14
Published