GHSA-h27m-3qw8-3pw8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h27m-3qw8-3pw8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-h27m-3qw8-3pw8/GHSA-h27m-3qw8-3pw8.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h27m-3qw8-3pw8
- Aliases
- Published
- 2025-07-23T15:47:31Z
- Modified
- 2025-07-29T19:12:07.757226Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Possible ORM Leak Vulnerability in the Harbor
- Details
-
Impact
Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the
/api/v2.0/usersendpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because theqURL parameter allowed the administrator to filter users by any column, and the filterpassword=~could be abused to leak out a user's password hash character by character.An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the
qURL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information.Patches
No available
Workarounds
NA
References
Credit
alex@elttam.com
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-200", "CWE-202" ], "github_reviewed_at": "2025-07-23T15:47:31Z", "github_reviewed": true, "nvd_published_at": "2025-07-25T15:15:26Z" }- References
-
- https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8
- https://nvd.nist.gov/vuln/detail/CVE-2025-30086
- https://github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702c
- https://github.com/goharbor/harbor
- https://github.com/goharbor/harbor/releases
- https://goharbor.io/blog
- https://www.elttam.com/blog/plormbing-your-django-orm
Affected packages
Go / github.com/goharbor/harbor
Package
- Name
- github.com/goharbor/harbor
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/goharbor/harbor
Go / github.com/goharbor/harbor
Package
- Name
- github.com/goharbor/harbor
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/goharbor/harbor
Go / github.com/goharbor/harbor
Package
- Name
- github.com/goharbor/harbor
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/goharbor/harbor