Harbor fails to validate user permissions while Viewing, updating and deleting Webhook policies

Vulnerability

Harbor, an open-source cloud native registry, does not enforce proper authorization checks on several Webhook policy API endpoints. The GET, PUT, and DELETE operations on /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id} lack validation that the requesting user has the necessary permissions for the project associated with the policy. This oversight means any authenticated user can interact with Webhook policies in projects they do not own or have explicit access to [1][3][4].

Exploitation

An attacker with valid Harbor credentials can exploit these missing permission checks by crafting API requests that target Webhook policies in other projects. For example, sending a GET request with varying webhook_policy_id values can disclose sensitive policy details and credentials [3]. Similarly, PUT requests allow the attacker to modify Webhook configurations, and DELETE requests can remove policies belonging to other users [1][4]. No special administrative privileges are required beyond basic authentication.

Impact

Successful exploitation enables an attacker to read, alter, or delete Webhook policies across projects. This could lead to unauthorized disclosure of webhook credentials and URLs, disruption of automated workflows that rely on webhook notifications, and potential redirection of webhook events to attacker-controlled endpoints for further compromise [1][3][4].

Mitigation

The vulnerability is addressed in Harbor version 2.5.2 and later. Users should upgrade to this or a subsequent release as soon as possible. No workarounds are available [3][4].