BIT-harbor-2022-31667

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/harbor/BIT-harbor-2022-31667.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-harbor-2022-31667
Aliases
Published
2024-11-20T07:11:07.078Z
Modified
2024-11-20T07:57:10.971119Z
Summary
[none]
Details

Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.

References

Affected packages

Bitnami / harbor

Package

Name
harbor
Purl
pkg:bitnami/harbor

Severity

  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.4.3
Introduced
2.5.0
Fixed
2.5.2