Base Score

HIGH7.4

CVE-2022-31671

Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.

VectorNETWORK

Published Bysecurity@vmware.com

Published DateNov 14, 2024, 12:15

Affected Versions(3)

github.com/goharbor/harbor(Go)

Introduced1.0.0

Fixed1.10.13

LimitN/A

github.com/goharbor/harbor(Go)

Introduced2.0.0

Fixed2.4.3

LimitN/A

github.com/goharbor/harbor(Go)

Introduced2.5.0

Fixed2.5.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/goharbor/harbor(Go)	1.0.0	1.10.13	N/A
github.com/goharbor/harbor(Go)	2.0.0	2.4.3	N/A
github.com/goharbor/harbor(Go)	2.5.0	2.5.2	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

References

Base Score

HIGH7.4

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW