CVE-2022-31668

HIGH7.4EPSS 0.06%

Harbor fails to validate the user permissions when updating p2p preheat policies in github.com/goharbor/harbor

Published: 11/14/2024Modified: 3/3/2026

Description

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.

Affected packages (4)

Bitnami/harbor>= 2.0.0, < 2.4.3, >= 2.5.0, < 2.5.2
Go/github.com/goharbor/harbor>= 2.0.0, < 2.4.3
Go/github.com/goharbor/harbor>= 2.0.0+incompatible, < 2.4.3+incompatible, >= 2.5.0+incompatible, < 2.5.2+incompatible
Go/github.com/goharbor/harbor/srcfrom 0, < 0.0.0-20220630175814-b4ef1db

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31668
PATCHhttps://github.com/goharbor/harbor
WEBhttps://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
WEBhttps://pkg.go.dev/vuln/GO-2024-3268