Closed
Description
In GitHub Security Advisory GHSA-q76q-q8hw-hmpw, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/goharbor/harbor | 2.5.2 | >= 2.5, <= 2.5.1 |
See doc/triage.md for instructions on how to triage this report.
modules:
- module: TODO
versions:
- introduced: TODO (earliest fixed "2.5.2", vuln range ">= 2.5, <= 2.5.1")
packages:
- package: github.com/goharbor/harbor
- module: TODO
versions:
- introduced: TODO (earliest fixed "2.4.3", vuln range ">= 2.0, <= 2.4.2")
packages:
- package: github.com/goharbor/harbor
- module: TODO
versions:
- introduced: TODO (earliest fixed "1.10.13", vuln range ">= 1.0, <= 1.10.12")
packages:
- package: github.com/goharbor/harbor
description: |
### Impact
Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call
GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs
By sending a request that attempts to read P2P preheat execution logs and specifying different job ids, malicious authenticatedusers could read all the job logs stored in the Harbor database.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)
### Credits
Thanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.
cves:
- CVE-2022-31671
ghsas:
- GHSA-q76q-q8hw-hmpw