Upload false tags to gain unauthorized access to other projects
CVE-2022-31669

7.7HIGH

Key Information:

Vendor: Harbor
Status: Harbor
Vendor: CVE Published:; 14 November 2024

Summary

An improper access control vulnerability in Harbor allows unauthorized users to manipulate tag immutability policies across multiple projects. When an authenticated user sends a request to update the immutability policy for a tag associated with a project they do not have permissions for, they can inadvertently modify the policies set for other projects. This flaw poses significant risks to the integrity of deployed container images and could lead to unauthorized alterations in image accessibility.

Affected Version(s)

Harbor Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1

References

https://github.com/goharbor/harbor/security/advisories/GH...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 14, 2024
Vulnerability Reserved
May 25, 2022