Malicious User Access to Job Logs via Unvalidated User Permissions
CVE-2022-31671

7.4HIGH

Key Information:

Vendor: Harbor
Status: Harbor
Vendor: CVE Published:; 14 November 2024

Summary

A security vulnerability in Harbor allows authenticated users to bypass authorization measures when accessing job execution logs. Specifically, the flaw arises from Harbor's failure to validate user permissions during the reading and updating of P2P preheat execution logs. By crafting requests that specify various job IDs, malicious users can gain unauthorized access to job logs stored within the Harbor database, potentially exposing sensitive operational information. This risk necessitates immediate attention to ensure robust access control measures are implemented.

Affected Version(s)

Harbor Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1

References

https://github.com/goharbor/harbor/security/advisories/GH...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 14, 2024
Vulnerability Reserved
May 25, 2022