SQL Injection in Harbor scan log API

Vulnerability

CVE-2024-22261 is an SQL injection vulnerability in the scan log API endpoint of Harbor, an open-source cloud-native container registry. The flaw exists in the GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log endpoint, where raw SQL is executed without proper sanitization when listing scan tasks by report UUID [3]. Specifically, the code uses ormer.Raw(Sql).QueryRows() with a SQL statement that includes user-controlled input, allowing attackers to inject malicious SQL commands.

Exploitation

Exploitation requires a user with at least project_admin, project_maintainer, or administrator role in Harbor [3]. However, due to PostgreSQL's handling of prepared statements, each statement can only contain one SQL command, preventing direct data modification via DELETE or UPDATE [3]. The primary attack vector is to append arbitrary PostgreSQL functions to the query, which can be executed against the database.

Impact

An attacker exploiting this vulnerability can execute arbitrary PostgreSQL functions, potentially extracting sensitive information from the database [3]. While the task IDs are used only to locate job log files, the response itself does not include direct database query results in the body [3]. This limits direct information leakage but still enables function execution that could be chained with other techniques to exfiltrate data or enumerate internal state.

Mitigation

Harbor versions 2.8.1 and later, 2.9.0 and later, and 2.10.0 and later are affected [3]. Patches are available in Harbor v2.8.6, v2.9.4, and v2.10.2 [3]. No workaround exists, so upgrading to a patched version is essential [3]. The vulnerability is also tracked in the Go vulnerability database (GO-2024-2916) [4].