Base Score

HIGH7.7

CVE-2022-31669

Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects.

VectorNETWORK

Published Bysecurity@vmware.com

Published DateNov 14, 2024, 12:15

Affected Versions(3)

github.com/goharbor/harbor(Go)

Introduced1.0.0

Fixed1.10.13

LimitN/A

github.com/goharbor/harbor(Go)

Introduced2.0.0

Fixed2.4.3

LimitN/A

github.com/goharbor/harbor(Go)

Introduced2.5.0

Fixed2.5.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/goharbor/harbor(Go)	1.0.0	1.10.13	N/A
github.com/goharbor/harbor(Go)	2.0.0	2.4.3	N/A
github.com/goharbor/harbor(Go)	2.5.0	2.5.2	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE

References

https://github.com/goharbor/harbor/security/advisories/GHSA-8c6p-v837-77f6

Base Score

HIGH7.7

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE