| id: GO-TEST-ID |
| modules: |
| - module: github.com/goharbor/harbor |
| versions: |
| - introduced: 1.0.0 |
| fixed: 1.10.13 |
| - introduced: 2.0.0+incompatible |
| fixed: 2.4.3+incompatible |
| - introduced: 2.5.0+incompatible |
| fixed: 2.5.2+incompatible |
| summary: Harbor fails to validate the user permissions when updating a robot account in github.com/goharbor/harbor |
| description: |- |
| ### Impact Harbor fails to validate the user permissions when updating a robot |
| account that belongs to a project that the authenticated user doesn’t have |
| access to. API call: |
| |
| PUT /robots/{robot_id} |
| |
| By sending a request that attempts to update a robot account, and specifying a |
| robot account id and robot account name that belongs to a different project that |
| the user doesn’t have access to, it was possible to revoke the robot account |
| permissions. |
| |
| ### Patches This and similar issues are fixed in Harbor v2.5.2 and later. Please |
| upgrade as soon as possible. |
| |
| ### Workarounds There are no workarounds available. |
| |
| ### For more information If you have any questions or comments about this |
| advisory: |
| * Open an issue in [the Harbor GitHub |
| repository](https://github.com/goharbor/harbor) |
| |
| ### Credits Thanks to [Gal |
| Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel |
| Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye |
| Security](https://www.oxeye.io/) for reporting this issue. |
| cves: |
| - CVE-2022-31667 |
| ghsas: |
| - GHSA-xx9w-464f-7h6f |
| references: |
| - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f |
| notes: |
| - lint: 'description: possible markdown formatting (found ### )' |
| - lint: 'modules[0] "github.com/goharbor/harbor": version 1.0.0 does not exist' |
| source: |
| id: GHSA-xx9w-464f-7h6f |
