CVE-2024-22278: Harbor fails to validate the user permissions when updating project configurations

July 31, 2024 (updated November 18, 2024)

Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:

PUT /projects/{project_name_or_id}/metadatas/{meta_name}
POST /projects/{project_name_or_id}/metadatas/{meta_name}
DELETE /projects/{project_name_or_id}/metadatas/{meta_name}

By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.

BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack configuration management permissions. However, the maintainer role can utilize the metadata API to circumvent this limitation. It’s important to note that any potential attacker must be authenticated and granted a specific project maintainer role to modify configurations, limiting their scope to only that project.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-22278 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →