Harbor — реестр для хранения Docker образов c открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 76
GHSA-r864-28pw-8682
Harbor fails to validate the user permissions when updating p2p preheat policies
CVE-2022-31671
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.
CVE-2022-31670
Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects.
CVE-2022-31669
Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects.
CVE-2022-31668
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
CVE-2022-31667
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.
CVE-2024-22278
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
GHSA-hw28-333w-qxp3
Harbor fails to validate the user permissions when updating project configurations
CVE-2024-22244
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
GHSA-5757-v49g-f6r7
Open Redirect URL in Harbor
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-r864-28pw-8682 Harbor fails to validate the user permissions when updating p2p preheat policies | CVSS3: 7.4 | 0% Низкий | 7 месяцев назад |
 | CVE-2022-31671 Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. | CVSS3: 7.4 | 0% Низкий | 7 месяцев назад |
| CVE-2022-31670 Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. | CVSS3: 7.7 | 0% Низкий | 7 месяцев назад |
| CVE-2022-31669 Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects. | CVSS3: 6.4 | 0% Низкий | 7 месяцев назад |
| CVE-2022-31668 Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects. | CVSS3: 7.4 | 0% Низкий | 7 месяцев назад |
| CVE-2022-31667 Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions. | CVSS3: 6.4 | 0% Низкий | 7 месяцев назад |
| CVE-2024-22278 Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations. | CVSS3: 6.4 | 0% Низкий | 11 месяцев назад |
| GHSA-hw28-333w-qxp3 Harbor fails to validate the user permissions when updating project configurations | CVSS3: 5.5 | 0% Низкий | 11 месяцев назад |
| CVE-2024-22244 Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site. | CVSS3: 4.3 | 0% Низкий | около 1 года назад |
| GHSA-5757-v49g-f6r7 Open Redirect URL in Harbor | CVSS3: 4.3 | 0% Низкий | около 1 года назад |
Уязвимостей на страницу