Vulnerability Report: GO-2024-3268

  • CVE-2022-31668, GHSA-r864-28pw-8682
  • Affects: github.com/goharbor/harbor
  • Published: Dec 12, 2024

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.

For detailed information about this vulnerability, visit https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7.

Affected Modules

  • Path
    Go Versions
  • github.com/goharbor/harbor
    from v2.0.0+incompatible before v2.4.3+incompatible, from v2.5.0+incompatible before v2.5.2+incompatible

Aliases

References

Credits

  • Gal Goldstein (Oxeye Security), Daniel Abeles (Oxeye Security)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.