GHSA-vw63-824v-qf2j

Source

https://github.com/advisories/GHSA-vw63-824v-qf2j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-vw63-824v-qf2j/GHSA-vw63-824v-qf2j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-vw63-824v-qf2j

Aliases

CVE-2024-22261
GO-2024-2916

Published

2024-06-02T22:32:40Z

Modified

2024-06-17T15:14:41Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

SQL Injection in Harbor scan log API

Details

Impact

A user with an administrator, projectadmin, or projectmaintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API:

GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log

The SQL injection might happen in the code:

https://github.com/goharbor/harbor/blob/9b7c1a2274fbc5ea16e19a484532f86c08926577/src/pkg/task/task.go#L241

Because raw SQL executed in ormer.Raw(Sql).QueryRows() is PrepareStatement. In the driver of Postgres, one PrepareStatement must contain only ONE SQL command, see https://www.postgresql.org/docs/15/libpq-exec.html#LIBPQ-PQPREPARE. The SQL should start with:

SELECT * FROM task WHERE extra_attrs::jsonb->'report_uuids' @>

Adding a delete/update operation by appending malicious content to the current SQL is impossible. Furthermore, the query result of the task is just an intermediate result, the task ID is used to locate the job log file, and the response only contains the content of the job log file. so this vulnerability can be used to execute SQL functions, but it can't leak any useful information to the response.

Harbor >=v2.8.1, >=2.9.0, >=2.10.0 are impacted.

Patches

Harbor v2.8.6, v2.9.4, v2.10.2 fixes this issue.

Workarounds

There is no workaround for this issue.

Credits

Thanks Taisei Inoue (taisei.inoue@gmo-cybersecurity.com)

Database specific

{
    "nvd_published_at": "2024-06-11T00:15:13Z",
    "cwe_ids": [
        "CWE-566"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-02T22:32:40Z"
}

References

Affected packages

Go / github.com/goharbor/harbor

Package

Name: github.com/goharbor/harbor; View open source insights on deps.dev
Purl: pkg:golang/github.com/goharbor/harbor

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.6

Go / github.com/goharbor/harbor

Package

Name: github.com/goharbor/harbor; View open source insights on deps.dev
Purl: pkg:golang/github.com/goharbor/harbor

Affected ranges

Type: SEMVER
Events: Introduced

2.9.0

Fixed

2.9.4

Go / github.com/goharbor/harbor

Package

Name: github.com/goharbor/harbor; View open source insights on deps.dev
Purl: pkg:golang/github.com/goharbor/harbor

Affected ranges

Type: SEMVER
Events: Introduced

2.10.0

Fixed

2.10.2