Unauthorized Access to Webhook Policies in Harbor
CVE-2022-31666

7.7HIGH

Key Information:

Vendor: Harbor
Status: Harbor
Vendor: CVE Published:; 14 November 2024

Summary

Harbor, a popular open-source cloud-native registry, has a vulnerability that allows unauthorized users to manipulate Webhook policies. This issue stems from the application's failure to properly validate user permissions during the deletion of Webhook policies. As a result, malicious actors can gain access to, modify, or delete Webhook configurations established by other users across different projects. This could lead to unauthorized notifications or actions being triggered, compromising the integrity of the application and potentially harmful consequences to related services.

Affected Version(s)

Harbor Harbor 2.x<=2.4.2; 2.5<=2.5.1

References

https://github.com/goharbor/harbor/security/advisories/GH...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 14, 2024
Vulnerability Reserved
May 25, 2022