Moderate severityNVD Advisory· Published Nov 14, 2024· Updated Nov 14, 2024
Harbor fails to validate the user permissions when updating a robot account
CVE-2022-31667
Description
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.0.0, < 1.10.13 | 1.10.13 |
github.com/goharbor/harborGo | >= 2.0.0, < 2.4.3 | 2.4.3 |
github.com/goharbor/harborGo | >= 2.5.0, < 2.5.2 | 2.5.2 |
Affected products
3- osv-coords2 versions
>= 2.0.0, < 2.4.3+ 1 more
- (no CPE)range: >= 2.0.0, < 2.4.3
- (no CPE)range: >= 1.0.0, < 1.10.13
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.