CVE-2025-30086
Description
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 2.13.0, < 2.13.1 | 2.13.1 |
github.com/goharbor/harborGo | >= 2.4.0-rc1.1, < 2.12.4 | 2.12.4 |
github.com/goharbor/harborGo | < 2.4.0-rc1.0.20250331071157-dce7d9f5cffb | 2.4.0-rc1.0.20250331071157-dce7d9f5cffb |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/goharbor/harborpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 2.13.0, < 2.13.1+ 1 more
- (no CPE)range: >= 2.13.0, < 2.13.1
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-h27m-3qw8-3pw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30086ghsaADVISORY
- github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702cghsaWEB
- github.com/goharbor/harbor/releasesnvdWEB
- github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8nvdWEB
- goharbor.io/blogghsaWEB
- www.elttam.com/blog/plormbing-your-django-ormghsaWEB
- goharbor.io/blog/nvd
- www.elttam.com/blog/plormbing-your-django-orm/nvd
News mentions
0No linked articles in our index yet.