CVE-2025-30086

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30086

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-30086.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-30086

Aliases

Published

2025-07-25T15:15:26Z

Modified

2025-07-29T19:12:07.757226Z

Summary

[none]

Details

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

References

Affected packages

Git / github.com/goharbor/harbor

Affected ranges

Type: GIT
Repo: https://github.com/goharbor/harbor
Events: Introduced

db1569ae20cc4bc1e57f94d72c955b04db8deeb6

Fixed

9384ed0e47b0741425dd3d2aa23f1e0ab262eaf4

Affected versions

v2.*

v2.13.0

v2.13.0-rc2

v2.13.1-rc1

v2.13.1-rc2