CVE-2022-31671

Summary

Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.

Affected Software

VendorProductVersion RangeStatus
n/aHarborHarbor (Go) 2.x<=2.4.2; 2.5<=2.5.1affected

Weaknesses

  • CWE-285: CWE-285

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References