Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12dzYzLTgyNHYtcWYyas4AA8mZ
SQL Injection in Harbor scan log API
Impact
A user with an administrator, project_admin, or project_maintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API:
GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log
The SQL injection might happen in the code:
Because raw SQL executed in ormer.Raw(Sql).QueryRows() is PrepareStatement. In the driver of Postgres, one PrepareStatement must contain only ONE SQL command, see https://www.postgresql.org/docs/15/libpq-exec.html#LIBPQ-PQPREPARE. The SQL should start with:
SELECT * FROM task WHERE extra_attrs::jsonb->'report_uuids' @>
Adding a delete/update operation by appending malicious content to the current SQL is impossible. Furthermore, the query result of the task is just an intermediate result, the task ID is used to locate the job log file, and the response only contains the content of the job log file. so this vulnerability can be used to execute SQL functions, but it can't leak any useful information to the response.
Harbor >=v2.8.1, >=2.9.0, >=2.10.0 are impacted.
Patches
Harbor v2.8.6, v2.9.4, v2.10.2 fixes this issue.
Workarounds
There is no workaround for this issue.
Credits
Thanks Taisei Inoue ([email protected])
Permalink: https://github.com/advisories/GHSA-vw63-824v-qf2jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12dzYzLTgyNHYtcWYyas4AA8mZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 2.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-vw63-824v-qf2j, CVE-2024-22261
References:
- https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j
- https://nvd.nist.gov/vuln/detail/CVE-2024-22261
- https://pkg.go.dev/vuln/GO-2024-2916
- https://github.com/advisories/GHSA-vw63-824v-qf2j
Blast Radius: 1.6
Affected Packages
go:github.com/goharbor/harbor
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: >= 2.10.0, < 2.10.2, >= 2.9.0, < 2.9.4, < 2.8.6
Fixed in: 2.10.2, 2.9.4, 2.8.6
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1
All unaffected versions: 2.8.6, 2.9.4, 2.10.2