Skip to content

Harbor fails to validate the user permissions when updating project configurations

Moderate severity GitHub Reviewed Published Jul 31, 2024 in goharbor/harbor • Updated Aug 7, 2024

Package

gomod github.com/goharbor/harbor (Go)

Affected versions

< 2.9.5
>= 2.10.0, < 2.10.3

Patched versions

2.9.5
2.10.3

Description

Impact

Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:

  • PUT /projects/{project_name_or_id}/metadatas/{meta_name}
  • POST /projects/{project_name_or_id}/metadatas/{meta_name}
  • DELETE /projects/{project_name_or_id}/metadatas/{meta_name}

By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.

BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack configuration management permissions. However, the maintainer role can utilize the metadata API to circumvent this limitation. It's important to note that any potential attacker must be authenticated and granted a specific project maintainer role to modify configurations, limiting their scope to only that project.

Patches

Will be fixed in v2.9.5, v2.10.3 and v2.11.0

Workarounds

There are no workarounds available.

Credit

Thanks to Ravid Mazon(rmazon@paloaltonetworks.com), Jay Chen (jaychen@paloaltonetworks.com) Palo Alto Networks for reporting this issue.

References

@stonezdj stonezdj published to goharbor/harbor Jul 31, 2024
Published to the GitHub Advisory Database Jul 31, 2024
Reviewed Jul 31, 2024
Published by the National Vulnerability Database Aug 2, 2024
Last updated Aug 7, 2024

Severity

Moderate

EPSS score

0.045%
(15th percentile)

Weaknesses

CVE ID

CVE-2024-22278

GHSA ID

GHSA-hw28-333w-qxp3

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.