blob: bb9e321adbe016472561493c128d405bb38c2373 [file] [log] [blame]
id: GO-TEST-ID
modules:
- module: github.com/goharbor/harbor
versions:
- introduced: 1.0.0
fixed: 1.10.13
- module: github.com/goharbor/harbor
versions:
- introduced: 2.0.0
fixed: 2.4.3
- module: github.com/goharbor/harbor
versions:
- introduced: 2.5.0
fixed: 2.5.2
summary: Harbor fails to validate the user permissions when updating a robot account
description: |-
### Impact Harbor fails to validate the user permissions when updating a robot
account that belongs to a project that the authenticated user doesn’t have
access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a
robot account id and robot account name that belongs to a different project that
the user doesn’t have access to, it was possible to revoke the robot account
permissions.
### Patches This and similar issues are fixed in Harbor v2.5.2 and later. Please
upgrade as soon as possible.
### Workarounds There are no workarounds available.
### For more information If you have any questions or comments about this
advisory:
* Open an issue in [the Harbor GitHub
repository](https://github.com/goharbor/harbor)
### Credits Thanks to [Gal
Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel
Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye
Security](https://www.oxeye.io/) for reporting this issue.
cves:
- CVE-2022-31667
ghsas:
- GHSA-xx9w-464f-7h6f
references:
- web: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f
- package: https://github.com/goharbor/harbor
notes:
- 'lint: github.com/goharbor/harbor: bad version "1.0.0": HTTP GET /github.com/goharbor/harbor/@v/v1.0.0.mod returned status 404 Not Found'
- 'lint: github.com/goharbor/harbor: bad version "2.0.0": github.com/goharbor/harbor@v2.0.0: invalid version: should be v0 or v1, not v2'
- 'lint: github.com/goharbor/harbor: bad version "2.5.0": github.com/goharbor/harbor@v2.5.0: invalid version: should be v0 or v1, not v2'
- 'lint: redundant non-advisory reference to GHSA-xx9w-464f-7h6f'