Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.  By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
History

Tue, 19 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation harbor
Weaknesses CWE-863
CPEs cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation harbor

Thu, 14 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 14 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Description Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.  By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
Title Harbor fails to validate the user permissions when updating a robot account
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-11-14T11:50:48.289Z

Updated: 2024-11-14T14:11:06.110Z

Reserved: 2022-05-25T23:31:47.418Z

Link: CVE-2022-31667

cve-icon Vulnrichment

Updated: 2024-11-14T14:10:52.881Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-14T12:15:16.390

Modified: 2024-11-19T15:25:29.643

Link: CVE-2022-31667

cve-icon Redhat

No data.