Harbor fails to validate the user permissions when reading and updating job execution logs through the P2P preheat execution logs

Vulnerability

Overview Harbor, an open-source cloud-native container registry, is affected by an access control deficiency in its P2P preheat execution log functionality. The API endpoint for retrieving logs, GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs, does not validate whether the requesting user has permission to access the job logs associated with a given execution ID [3]. This missing authorization check allows an attacker to supply arbitrary job identifiers and retrieve logs outside their intended scope.

Exploitation

Conditions Exploitation requires an authenticated Harbor user with network access to the API endpoint. An attacker can craft requests that specify different job IDs than those associated with the project the user is authorized for [3]. No special privileges beyond standard user authentication are needed, making the attack simple to execute once access is obtained.

Impact

A successful attacker can read all job logs stored in the Harbor database, regardless of project ownership or role [1][3]. These logs may contain sensitive information such as command outputs, configuration details, or internal system state, potentially aiding further attacks or information disclosure.

Mitigation

Harbor has addressed this vulnerability in versions 2.5.2 and later [3]. No workaround is available, so upgrading to a patched release is strongly recommended. A related but distinct issue regarding insufficient permission validation when updating P2P preheat policies was fixed in a subsequent version [4].