Attackers Can Modify P2P Preheat Policies in Other Projects via ID Confusion

CVE-2022-31668

7.7HIGH

Key Information

Vendor: Harbor
Status: Harbor
Vendor: CVE Published:; 14 November 2024

Summary

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.

Affected Version(s)

Harbor = Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Nov 14, 2024
Vulnerability Reserved.
May 25, 2022

Collectors

NVD DatabaseMitre Database