CVE-2024-22278
published 2024-08-02CVE-2024-22278: Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.37%
28.6th percentile
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 0 < 2.9.5 | 2.9.5 |
| github.com | goharbor_harbor | >= 0 < 2.9.5+incompatible | 2.9.5+incompatible |
| github.com | goharbor_harbor | >= 2.10.0 < 2.10.3 | 2.10.3 |
| github.com | goharbor_harbor | >= 2.10.0+incompatible < 2.10.3+incompatible | 2.10.3+incompatible |
| harbor | harbor | >= 2.10.2 < <v2.10.3 | <v2.10.3 |
| harbor | harbor | >= 2.9.4 < <v2.9.5 | <v2.9.5 |
| linuxfoundation | harbor | < 2.9.5 | 2.9.5 |
| linuxfoundation | harbor | >= 2.10.0 < 2.10.3 | 2.10.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor
osv·2024-08-06
CVE-2024-22278 Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor
Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor
Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor
OSV
Harbor fails to validate the user permissions when updating project configurations
osv·2024-07-31
CVE-2024-22278 [HIGH] Harbor fails to validate the user permissions when updating project configurations
Harbor fails to validate the user permissions when updating project configurations
### Impact
Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:
- PUT /projects/{project_name_or_id}/metadatas/{meta_name}
- POST /projects/{project_name_or_id}/metadatas/{meta_name}
- DELETE /projects/{project_name_or_id}/metadatas/{meta_name}
By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.
BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack co
GHSA
Harbor fails to validate the user permissions when updating project configurations
ghsa·2024-07-31
CVE-2024-22278 [HIGH] CWE-269 Harbor fails to validate the user permissions when updating project configurations
Harbor fails to validate the user permissions when updating project configurations
### Impact
Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:
- PUT /projects/{project_name_or_id}/metadatas/{meta_name}
- POST /projects/{project_name_or_id}/metadatas/{meta_name}
- DELETE /projects/{project_name_or_id}/metadatas/{meta_name}
By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.
BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack co
No detection rules found.
No public exploits indexed.
Unit42
Harnessing LLMs for Automating BOLA Detection
blogs_unit42·2024-08-12·CVSS 7.7
[HIGH] Harnessing LLMs for Automating BOLA Detection
## Executive Summary
This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects.
BOLA is a widespread and potentially critical vulnerability in modern APIs and web applications. While manually exploiting BOLA vulnerabilities is usually straightforward, automatically identifying new BOLAs is challenging for the following reasons:
- The complexities of application logic
- The diverse range of input parameters
- The stateful nature of modern web applications
For these reasons, traditional methodologies like fuzzing and static analysis are ineff
Unit42
Harnessing LLMs for Automating BOLA Detection
blogs_unit42·2024-08-12·CVSS 7.7
[HIGH] Harnessing LLMs for Automating BOLA Detection
## Harnessing LLMs for Automating BOLA Detection
Ravid Mazon
Jay Chen
Published: August 12, 2024
Threat Research
Vulnerabilities
API
BOLA
GenAI
LLM
Web application firewall
## Executive Summary
This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects.
BOLA is a widespread and potentially critical vulnerability in modern APIs and web applications. While manually exploiting BOLA vulnerabilities is usually straightforward, automatically identifying new BOLAs is challenging for the following reasons:
The complexities of applicatio
Unit42
Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
blogs_unit42·2024-07-31·CVSS 6.4
[MEDIUM] Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
## Executive Summary
In a recent audit of open-source web applications, threat researchers from Unit 42 have identified a broken object-level authorization (BOLA) vulnerability that impacts Harbor versions prior to 2.9.5. Harbor is a widely used cloud-native container registry that plays a role in cloud environments by hosting container images and providing features such as role-based access control (RBAC), vulnerability scanning and image signing. It is an open-source CNCF Graduated project with over 22,600 stars and 1.8 million downloads. The vulnerability we identified is tracked as CVE-2024-22278, with a CVSS score of 6.4.
We found the vulnerability as part of our development of an automated BOLA detection tool leveraging generative AI, part of a larger effort to explore how AI can e
Unit42
Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
blogs_unit42·2024-07-31·CVSS 6.4
[MEDIUM] Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
Threat Research Center
Threat Research
Vulnerabilities
## Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
Jay Chen
Ravid Mazon
Published: July 31, 2024
Threat Research
Vulnerabilities
API attacks
BOLA
Harbor
## Executive Summary
In a recent audit of open-source web applications, threat researchers from Unit 42 have identified a broken object-level authorization (BOLA) vulnerability that impacts Harbor versions prior to 2.9.5. Harbor is a widely used cloud-native container registry that plays a role in cloud environments by hosting container images and providing features such as role-based access control (RBAC), vulnerability scanning and image signing. It is an open-source CNCF Graduated project with over 22,600 stars and 1.8 million downloads
2024-08-02
Published