internal/genericosv/testdata/yaml/GHSA-xx9w-464f-7h6f.yaml - vulndb - Git at Google

 id: GO-TEST-ID
 modules:
     - module: github.com/goharbor/harbor
       versions:
         - introduced: 1.0.0
           fixed: 1.10.13
     - module: github.com/goharbor/harbor
       versions:
         - introduced: 2.0.0
           fixed: 2.4.3
     - module: github.com/goharbor/harbor
       versions:
         - introduced: 2.5.0
           fixed: 2.5.2
 summary: Harbor fails to validate the user permissions when updating a robot account
 description: |-
     ### Impact Harbor fails to validate the user permissions when updating a robot
     account that belongs to a project that the authenticated user doesn’t have
     access to. API call:

     PUT /robots/{robot_id}

     By sending a request that attempts to update a robot account, and specifying a
     robot account id and robot account name that belongs to a different project that
     the user doesn’t have access to, it was possible to revoke the robot account
     permissions.

     ### Patches This and similar issues are fixed in Harbor v2.5.2 and later. Please
     upgrade as soon as possible.

     ### Workarounds There are no workarounds available.

     ### For more information If you have any questions or comments about this
     advisory:
     * Open an issue in [the Harbor GitHub
     repository](https://github.com/goharbor/harbor)

     ### Credits Thanks to [Gal
     Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel
     Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye
     Security](https://www.oxeye.io/) for reporting this issue.
 cves:
     - CVE-2022-31667
 ghsas:
     - GHSA-xx9w-464f-7h6f
 references:
     - web: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
     - package: https://github.com/goharbor/harbor
 notes:
     - 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
     - 'lint: github.com/goharbor/harbor: bad version "2.0.0": github.com/goharbor/harbor@v2.0.0: invalid version: should be v0 or v1, not v2'
     - 'lint: github.com/goharbor/harbor: bad version "2.5.0": github.com/goharbor/harbor@v2.5.0: invalid version: should be v0 or v1, not v2'
     - 'lint: redundant non-advisory reference to GHSA-xx9w-464f-7h6f'
	id: GO-TEST-ID
	modules:
	- module: github.com/goharbor/harbor
	versions:
	- introduced: 1.0.0
	fixed: 1.10.13
	- module: github.com/goharbor/harbor
	versions:
	- introduced: 2.0.0
	fixed: 2.4.3
	- module: github.com/goharbor/harbor
	versions:
	- introduced: 2.5.0
	fixed: 2.5.2
	summary: Harbor fails to validate the user permissions when updating a robot account
	description: \|-
	### Impact Harbor fails to validate the user permissions when updating a robot
	account that belongs to a project that the authenticated user doesn’t have
	access to. API call:

	PUT /robots/{robot_id}

	By sending a request that attempts to update a robot account, and specifying a
	robot account id and robot account name that belongs to a different project that
	the user doesn’t have access to, it was possible to revoke the robot account
	permissions.

	### Patches This and similar issues are fixed in Harbor v2.5.2 and later. Please
	upgrade as soon as possible.

	### Workarounds There are no workarounds available.

	### For more information If you have any questions or comments about this
	advisory:
	* Open an issue in [the Harbor GitHub
	repository](https://github.com/goharbor/harbor)

	### Credits Thanks to [Gal
	Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel
	Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye
	Security](https://www.oxeye.io/) for reporting this issue.
	cves:
	- CVE-2022-31667
	ghsas:
	- GHSA-xx9w-464f-7h6f
	references:
	- web: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
	- package: https://github.com/goharbor/harbor
	notes:
	- 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
	- 'lint: github.com/goharbor/harbor: bad version "2.0.0": github.com/goharbor/harbor@v2.0.0: invalid version: should be v0 or v1, not v2'
	- 'lint: github.com/goharbor/harbor: bad version "2.5.0": github.com/goharbor/harbor@v2.5.0: invalid version: should be v0 or v1, not v2'
	- 'lint: redundant non-advisory reference to GHSA-xx9w-464f-7h6f'