Github.Com Goharbor Harbor vulnerabilities
22 known vulnerabilities affecting github.com/goharbor_harbor.
Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM14LOW1
Vulnerabilities
Page 1 of 2
CVE-2019-16097P2MEDIUMPoC≥ 1.7.0, < 1.9.0-rc12022-02-15
CVE-2019-16097 [MEDIUM] CWE-862 Missing Authorization in Harbor
Missing Authorization in Harbor
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API. This is fixed in 1.9.0-rc1.
ghsaosv
CVE-2026-4404P2CRITICAL≥ 0, ≤ 2.15.02026-03-23
CVE-2026-4404 [CRITICAL] CWE-1393 Harbor allows the use of the default password for web UI login
Harbor allows the use of the default password for web UI login
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
ghsaosv
CVE-2019-19023P3MEDIUM≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19023 [MEDIUM] CWE-269 Privilege Escalation in Cloud Native Computing Foundation Harbor
Privilege Escalation in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31670P3HIGH≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31670 [HIGH] CWE-285 Harbor fails to validate the user permissions when updating tag retention policies
Harbor fails to validate the user permissions when updating tag retention policies
### Impact
Harbor fails to validate the user permissions when updating tag retention policies. API call:
PUT /retentions/{id}
By sending a request to update a tag retention policy with an id that belongs to a project
that the currently authenticated user doesn’t have access to, the attacker could mod
ghsaosv
CVE-2019-19029P3HIGH≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19029 [HIGH] CWE-89 SQL Injection in Cloud Native Computing Foundation Harbor
SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31669P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31669 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating tag immutability policies
Harbor fails to validate the user permissions when updating tag immutability policies
### Impact
Harbor fails to validate the user permissions when updating tag immutability policies - API call:
PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currentl
ghsaosv
CVE-2022-31668P3HIGH≥ 2.0.0, < 2.4.3≥ 2.5.0, < 2.5.22024-11-14
CVE-2022-31668 [HIGH] CWE-285 Harbor fails to validate the user permissions when updating p2p preheat policies
Harbor fails to validate the user permissions when updating p2p preheat policies
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other project
ghsaosv
CVE-2022-31671P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-09
CVE-2022-31671 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs
### Impact
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call
GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}
ghsaosv
CVE-2019-19025P3HIGH≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19025 [HIGH] CWE-352 Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor
Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim.
Th
ghsaosv
CVE-2022-31667P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31667 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating a robot account
Harbor fails to validate the user permissions when updating a robot account
### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesn’t have access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a robot
account id and robot account n
ghsaosv
CVE-2023-20902P3MEDIUM≥ 0, < 1.10.18≥ 2.0.0, < 2.7.3+1 more2023-10-10
CVE-2023-20902 [MEDIUM] CWE-208 Harbor timing attack risk
Harbor timing attack risk
In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
To avoid this issue, constant time comparison should be used.
```
subtle.ConstantTimeCompare([]byte(expectedSecret), []byt
ghsaosv
CVE-2019-19030P4MEDIUMCVSS 5.3≥ 1.7.0, < 1.10.3≥ 2.0.0, < 2.0.12022-02-11
CVE-2019-19030 [MEDIUM] CWE-204 Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)
Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030)
# Impact
Sean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist,
ghsaosv
CVE-2024-22261P4LOW≥ 0, < 2.8.6≥ 2.9.0, < 2.9.4+1 more2024-06-02
CVE-2024-22261 [LOW] CWE-566 SQL Injection in Harbor scan log API
SQL Injection in Harbor scan log API
### Impact
A user with an administrator, project_admin, or project_maintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API:
```
GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log
```
The SQL injection might h
ghsaosv
CVE-2019-19026P4MEDIUM≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19026 [MEDIUM] CWE-89 SQL Injection in Cloud Native Computing Foundation Harbor
SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31666P4HIGH≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31666 [HIGH] CWE-285 Harbor fails to validate the user permissions when viewing Webhook policies
Harbor fails to validate the user permissions when viewing Webhook policies
### Impact
Harbor fails to validate the user permissions to view Webhook policies including relevant credentials configured in different projects the user doesn’t have access to, resulting in malicious users being able to read Webhook policies of other users/projects. API call is
GET /projects/{project_name_or_id}/
ghsaosv
CVE-2020-29662P4MEDIUMCVSS 5.3≥ 0, < 2.0.5≥ 2.1.0, < 2.1.22022-02-12
CVE-2020-29662 [MEDIUM] CWE-287 "catalog's registry v2 api exposed on unauthenticated path in Harbor"
"catalog's registry v2 api exposed on unauthenticated path in Harbor"
### **Impact**
Javier Provecho, member of the TCCT (Telefonica Cloud & Cybersecurity Tech better known as ElevenPaths) SRE team discovered a vulnerability regarding Harbor’s v2 API.
The catalog’s registry v2 api is exposed on an unauthenticated path. The current catalog API path is served at the following path and it require
ghsaosv
CVE-2025-30086P4MEDIUM≥ 2.13.0, < 2.13.1≥ 2.4.0-rc1.1, < 2.12.4+1 more2025-07-23
CVE-2025-30086 [MEDIUM] CWE-200 Possible ORM Leak Vulnerability in the Harbor
Possible ORM Leak Vulnerability in the Harbor
### Impact
Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any colum
ghsaosv
CVE-2024-22244P4MEDIUM≥ 0, < 2.8.5≥ 2.9.0, < 2.9.3+1 more2024-06-02
CVE-2024-22244 [MEDIUM] CWE-601 Open Redirect URL in Harbor
Open Redirect URL in Harbor
### Description
Under OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL.
For example: if a user clicks the URL with a malicious redirect_url:
```
https:///c/oidc/login?redirect_url=https://
```
It mig
ghsaosv
CVE-2020-13788P4MEDIUMCVSS 4.3≥ 1.8.0, < 2.0.12022-02-11
CVE-2020-13788 [MEDIUM] CWE-918 Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788)
# Impact
Matt Hamilton from Soluble has discovered a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.
The vulnerability was immediately fixed by the Harbor team.
# Issue
The “Test Endpoint” AP
ghsaosv
CVE-2020-13794P4MEDIUMCVSS 4.3≥ 0, < 2.0.32021-05-24
CVE-2020-13794 [MEDIUM] CWE-862 Authenticated users can exploit an enumeration vulnerability in Harbor
Authenticated users can exploit an enumeration vulnerability in Harbor
### **Impact**
Hidde Smit from Cyber Eagle has discovered an User Enumeration flaw in Harbor. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality.
Non-administ
ghsaosv
1 / 2Next →