CVE-2022-31668: Harbor fails to validate the user permissions when updating p2p preheat policies

November 14, 2024 (updated December 12, 2024)

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify p2p preheat policies configured in other projects.

References

github.com/advisories/GHSA-r864-28pw-8682
github.com/goharbor/harbor
github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
nvd.nist.gov/vuln/detail/CVE-2022-31668
pkg.go.dev/vuln/GO-2024-3268

Code Behaviors & Features

Detect and mitigate CVE-2022-31668 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →