Headline
GHSA-r864-28pw-8682: Harbor fails to validate the user permissions when updating p2p preheat policies
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify p2p preheat policies configured in other projects.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-31668
Harbor fails to validate the user permissions when updating p2p preheat policies
High severity GitHub Reviewed Published Nov 14, 2024 to the GitHub Advisory Database • Updated Nov 14, 2024
Package
gomod github.com/goharbor/harbor (Go)
Affected versions
>= 2.0.0, < 2.4.3
>= 2.5.0, < 2.5.2
Patched versions
2.4.3
2.5.2
gomod github.com/goharbor/harbor/src (Go)
< 0.0.0-20220630175814-b4ef1db
0.0.0-20220630175814-b4ef1db
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify p2p preheat policies configured in other projects.
References
- GHSA-3wpx-625q-22j7
- https://nvd.nist.gov/vuln/detail/CVE-2022-31668
Published to the GitHub Advisory Database
Nov 14, 2024
Last updated
Nov 14, 2024