Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odzI4LTMzM3ctcXhwM84AA-S2
Harbor fails to validate the user permissions when updating project configurations
Impact
Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:
- PUT /projects/{project_name_or_id}/metadatas/{meta_name}
- POST /projects/{project_name_or_id}/metadatas/{meta_name}
- DELETE /projects/{project_name_or_id}/metadatas/{meta_name}
By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.
BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack configuration management permissions. However, the maintainer role can utilize the metadata API to circumvent this limitation. It's important to note that any potential attacker must be authenticated and granted a specific project maintainer role to modify configurations, limiting their scope to only that project.
Patches
Will be fixed in v2.9.5, v2.10.3 and v2.11.0
Workarounds
There are no workarounds available.
Credit
Thanks to Ravid Mazon([email protected]), Jay Chen ([email protected]) Palo Alto Networks for reporting this issue.
Permalink: https://github.com/advisories/GHSA-hw28-333w-qxp3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzI4LTMzM3ctcXhwM84AA-S2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 3 days ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-hw28-333w-qxp3, CVE-2024-22278
References:
- https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3
- https://nvd.nist.gov/vuln/detail/CVE-2024-22278
- https://pkg.go.dev/vuln/GO-2024-3013
- https://github.com/advisories/GHSA-hw28-333w-qxp3
Blast Radius: 3.3
Affected Packages
go:github.com/goharbor/harbor
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: >= 2.10.0, < 2.10.3, < 2.9.5
Fixed in: 2.10.3, 2.9.5
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 1.10.19, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.10.0, 2.10.1, 2.10.2
All unaffected versions: 2.9.5, 2.10.3, 2.11.0, 2.11.1