CVE-2022-31671
published 2024-11-14CVE-2022-31671: Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that…
PriorityP340high7.4CVSS 3.1
AVNACLPRLUINSCCLILAL
EPSS
0.51%
39.7th percentile
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 1.0.0 < 1.10.13 | 1.10.13 |
| github.com | goharbor_harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| github.com | goharbor_harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
| linuxfoundation | harbor | — | — |
| linuxfoundation | harbor | >= 2.0.0 < 2.4.3 | 2.4.3 |
| linuxfoundation | harbor | >= 2.5.0 < 2.5.2 | 2.5.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
osv·2022-09-09
CVE-2022-31671 [MEDIUM] Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
### Impact
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call
GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs
By sending a request that attempts to read P2P preheat execution logs and specifying different job ids, malicious authenticatedusers could read all the job logs stored in the Harbor database.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about
GHSA
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
ghsa·2022-09-09
CVE-2022-31671 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
### Impact
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call
GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs
By sending a request that attempts to read P2P preheat execution logs and specifying different job ids, malicious authenticatedusers could read all the job logs stored in the Harbor database.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about
No detection rules found.
No public exploits indexed.
2024-11-14
Published