Harbor fails to validate the user permissions when updating tag retention policies

Vulnerability

Description CVE-2022-31670 is an authorization bypass vulnerability in the Harbor container registry. The root cause is that the PUT /retentions/{id} API endpoint does not verify whether the authenticated user has the necessary permissions for the project associated with the given retention policy ID [1][3]. This missing validation allows a user to update tag retention policies that belong to projects they are not authorized to access.

Exploitation

An attacker can exploit this vulnerability by sending a crafted PUT request to update a tag retention policy, specifying an id that belongs to a project the attacker does not have access to. The only prerequisite is that the attacker must be an authenticated user of the Harbor instance [1][3]. No other special privileges are required, making this a low-complexity attack against authorization controls.

Impact

Successful exploitation enables the attacker to modify tag retention policies configured in other projects. Depending on the policy configuration, this could allow an attacker to retain or delete container images in projects they should not control, potentially leading to data loss or unauthorized retention of sensitive artifacts [1][3].

Mitigation

Harbor has fixed this issue in version 2.5.2 and later [3]. There are no workarounds available, so affected users should upgrade to a patched version as soon as possible [3].