Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/goharbor/harbor(Go) | 2.0.0 | 2.4.3 | N/A |
| github.com/goharbor/harbor(Go) | 2.5.0 | 2.5.2 | N/A |
| github.com/goharbor/harbor/src(Go) | 0 | 0.0.0-20220630175814-b4ef1db | N/A |
CVSS Metrics
