cbcvebase.

Github.Com Goharbor Harbor vulnerabilities

22 known vulnerabilities affecting github.com/goharbor_harbor.

Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM14LOW1

Vulnerabilities

Page 1 of 2
CVE-2019-16097P2MEDIUMPoC≥ 1.7.0, < 1.9.0-rc12022-02-15
CVE-2019-16097 [MEDIUM] CWE-862 Missing Authorization in Harbor Missing Authorization in Harbor core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API. This is fixed in 1.9.0-rc1.
ghsaosv
CVE-2026-4404P2CRITICAL≥ 0, ≤ 2.15.02026-03-23
CVE-2026-4404 [CRITICAL] CWE-1393 Harbor allows the use of the default password for web UI login Harbor allows the use of the default password for web UI login Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
ghsaosv
CVE-2019-19023P3MEDIUM≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19023 [MEDIUM] CWE-269 Privilege Escalation in Cloud Native Computing Foundation Harbor Privilege Escalation in Cloud Native Computing Foundation Harbor Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31670P3HIGH≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31670 [HIGH] CWE-285 Harbor fails to validate the user permissions when updating tag retention policies Harbor fails to validate the user permissions when updating tag retention policies ### Impact Harbor fails to validate the user permissions when updating tag retention policies. API call: PUT /retentions/{id} By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could mod
ghsaosv
CVE-2019-19029P3HIGH≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19029 [HIGH] CWE-89 SQL Injection in Cloud Native Computing Foundation Harbor SQL Injection in Cloud Native Computing Foundation Harbor Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31669P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31669 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating tag immutability policies Harbor fails to validate the user permissions when updating tag immutability policies ### Impact Harbor fails to validate the user permissions when updating tag immutability policies - API call: PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id} By sending a request to update a tag immutability policy with an id that belongs to a project that the currentl
ghsaosv
CVE-2022-31668P3HIGH≥ 2.0.0, < 2.4.3≥ 2.5.0, < 2.5.22024-11-14
CVE-2022-31668 [HIGH] CWE-285 Harbor fails to validate the user permissions when updating p2p preheat policies Harbor fails to validate the user permissions when updating p2p preheat policies Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other project
ghsaosv
CVE-2022-31671P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-09
CVE-2022-31671 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs ### Impact Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}
ghsaosv
CVE-2019-19025P3HIGH≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19025 [HIGH] CWE-352 Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor Cure53 has discovered that the Harbor web interface does not implement protection mechanisms against Cross-Site Request Forgery (CSRF). By luring an authenticated user onto a prepared third-party website, an attacker can execute any action on the platform in the context of the currently authenticated victim. Th
ghsaosv
CVE-2022-31667P3MEDIUM≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31667 [MEDIUM] CWE-285 Harbor fails to validate the user permissions when updating a robot account Harbor fails to validate the user permissions when updating a robot account ### Impact Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. API call: PUT /robots/{robot_id} By sending a request that attempts to update a robot account, and specifying a robot account id and robot account n
ghsaosv
CVE-2023-20902P3MEDIUM≥ 0, < 1.10.18≥ 2.0.0, < 2.7.3+1 more2023-10-10
CVE-2023-20902 [MEDIUM] CWE-208 Harbor timing attack risk Harbor timing attack risk In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69 To avoid this issue, constant time comparison should be used. ``` subtle.ConstantTimeCompare([]byte(expectedSecret), []byt
ghsaosv
CVE-2019-19030P4MEDIUMCVSS 5.3≥ 1.7.0, < 1.10.3≥ 2.0.0, < 2.0.12022-02-11
CVE-2019-19030 [MEDIUM] CWE-204 Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030) Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030) # Impact Sean Wright from Secureworks has discovered an enumeration vulnerability. An attacker can make use of the Harbor API to make unauthenticated calls to the Harbor instance. Based on the HTTP status code in the response, an attacker is then able to work out which resources exist,
ghsaosv
CVE-2024-22261P4LOW≥ 0, < 2.8.6≥ 2.9.0, < 2.9.4+1 more2024-06-02
CVE-2024-22261 [LOW] CWE-566 SQL Injection in Harbor scan log API SQL Injection in Harbor scan log API ### Impact A user with an administrator, project_admin, or project_maintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API: ``` GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log ``` The SQL injection might h
ghsaosv
CVE-2019-19026P4MEDIUM≥ 1.7.0, < 1.8.6≥ 1.9.0, < 1.9.32021-05-18
CVE-2019-19026 [MEDIUM] CWE-89 SQL Injection in Cloud Native Computing Foundation Harbor SQL Injection in Cloud Native Computing Foundation Harbor Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
ghsaosv
CVE-2022-31666P4HIGH≥ 1.0.0, < 1.10.13≥ 2.0.0, < 2.4.3+1 more2022-09-16
CVE-2022-31666 [HIGH] CWE-285 Harbor fails to validate the user permissions when viewing Webhook policies Harbor fails to validate the user permissions when viewing Webhook policies ### Impact Harbor fails to validate the user permissions to view Webhook policies including relevant credentials configured in different projects the user doesn’t have access to, resulting in malicious users being able to read Webhook policies of other users/projects. API call is GET /projects/{project_name_or_id}/
ghsaosv
CVE-2020-29662P4MEDIUMCVSS 5.3≥ 0, < 2.0.5≥ 2.1.0, < 2.1.22022-02-12
CVE-2020-29662 [MEDIUM] CWE-287 "catalog's registry v2 api exposed on unauthenticated path in Harbor" "catalog's registry v2 api exposed on unauthenticated path in Harbor" ### **Impact** Javier Provecho, member of the TCCT (Telefonica Cloud & Cybersecurity Tech better known as ElevenPaths) SRE team discovered a vulnerability regarding Harbor’s v2 API. The catalog’s registry v2 api is exposed on an unauthenticated path. The current catalog API path is served at the following path and it require
ghsaosv
CVE-2025-30086P4MEDIUM≥ 2.13.0, < 2.13.1≥ 2.4.0-rc1.1, < 2.12.4+1 more2025-07-23
CVE-2025-30086 [MEDIUM] CWE-200 Possible ORM Leak Vulnerability in the Harbor Possible ORM Leak Vulnerability in the Harbor ### Impact Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any colum
ghsaosv
CVE-2024-22244P4MEDIUM≥ 0, < 2.8.5≥ 2.9.0, < 2.9.3+1 more2024-06-02
CVE-2024-22244 [MEDIUM] CWE-601 Open Redirect URL in Harbor Open Redirect URL in Harbor ### Description Under OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL. For example: if a user clicks the URL with a malicious redirect_url: ``` https:///c/oidc/login?redirect_url=https:// ``` It mig
ghsaosv
CVE-2020-13788P4MEDIUMCVSS 4.3≥ 1.8.0, < 2.0.12022-02-11
CVE-2020-13788 [MEDIUM] CWE-918 Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) # Impact Matt Hamilton from Soluble has discovered a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network. The vulnerability was immediately fixed by the Harbor team. # Issue The “Test Endpoint” AP
ghsaosv
CVE-2020-13794P4MEDIUMCVSS 4.3≥ 0, < 2.0.32021-05-24
CVE-2020-13794 [MEDIUM] CWE-862 Authenticated users can exploit an enumeration vulnerability in Harbor Authenticated users can exploit an enumeration vulnerability in Harbor ### **Impact** Hidde Smit from Cyber Eagle has discovered an User Enumeration flaw in Harbor. The issue is present in the "/users" api endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained via the "search" functionality. Non-administ
ghsaosv
Github.Com Goharbor Harbor vulnerabilities | cvebase