CVE-2022-31671

Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated userscould read all the job logs stored in the Harbor database.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vmwareCNA
7.4 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
linuxfoundationharbor
2.0.0 ≤
𝑥
< 2.4.3
linuxfoundationharbor
2.5.0 ≤
𝑥
< 2.5.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
https://github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw