GHSA-hw28-333w-qxp3

Suggest an improvement
Source
https://github.com/advisories/GHSA-hw28-333w-qxp3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-hw28-333w-qxp3/GHSA-hw28-333w-qxp3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hw28-333w-qxp3
Aliases
Published
2024-07-31T16:53:13Z
Modified
2024-11-18T16:26:57Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N CVSS Calculator
Summary
Harbor fails to validate the user permissions when updating project configurations
Details

Impact

Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:

  • PUT /projects/{projectnameorid}/metadatas/{metaname}
  • POST /projects/{projectnameorid}/metadatas/{metaname}
  • DELETE /projects/{projectnameorid}/metadatas/{metaname}

By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project.

BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack configuration management permissions. However, the maintainer role can utilize the metadata API to circumvent this limitation. It's important to note that any potential attacker must be authenticated and granted a specific project maintainer role to modify configurations, limiting their scope to only that project.

Patches

Will be fixed in v2.9.5, v2.10.3 and v2.11.0

Workarounds

There are no workarounds available.

Credit

Thanks to Ravid Mazon(rmazon@paloaltonetworks.com), Jay Chen (jaychen@paloaltonetworks.com) Palo Alto Networks for reporting this issue.

Database specific 
{
    "nvd_published_at": "2024-08-02T01:15:23Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-31T16:53:13Z"
}
References

Affected packages

Go / github.com/goharbor/harbor

Package

Name
github.com/goharbor/harbor
View open source insights on deps.dev
Purl
pkg:golang/github.com/goharbor/harbor

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.5

Go / github.com/goharbor/harbor

Package

Name
github.com/goharbor/harbor
View open source insights on deps.dev
Purl
pkg:golang/github.com/goharbor/harbor

Affected ranges

Type
SEMVER
Events
Introduced
2.10.0
Fixed
2.10.3