Harbor fails to validate the user permissions when updating project configurations

CVE-2024-22278 is an incorrect user permission validation vulnerability in Harbor, an open-source cloud-native registry. The flaw exists in the project configuration metadata API endpoints (PUT, POST, DELETE /projects/{project_name_or_id}/metadatas/{meta_name}) where the maintainer role's permissions are not properly validated [3]. This allows a user with the maintainer role to create, update, or delete project configurations, despite the maintainer role being intended to lack such configuration management capabilities [3].

To exploit this vulnerability, an attacker must be authenticated and granted the maintainer role for a specific project. The attacker can then send crafted requests to the metadata API to modify configurations within that project [3]. The attack is limited to the project for which the attacker has maintainer access, but it circumvents the intended permission boundaries.

The impact is that an authenticated maintainer can modify project configurations, potentially altering security settings, replication policies, or other project-level metadata. This could lead to unauthorized changes that affect the registry's behavior and security posture. The vulnerability is rated with a CVSS score (as per NVD) [2] and affects Harbor versions before 2.9.5 and 2.10.3 [4].

The vulnerability is patched in Harbor versions 2.9.5, 2.10.3, and 2.11.0 [3]. There are no known workarounds, so upgrading to a fixed version is recommended. The issue was reported by researchers from Palo Alto Networks [3].