CVE-2022-31671 — Harbor fails to validate the user permissions when reading and updating job exec

Description

Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database.

How to fix CVE-2022-31671

To remediate CVE-2022-31671, upgrade the affected package to a fixed version below.

—upgrade to 2.4.3 or later
—upgrade to 1.10.13 or later

Is CVE-2022-31671 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.0.0, < 2.4.3, >= 2.5.0, < 2.5.2
>= 1.0.0, < 1.10.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31671
PATCHgithub.com/goharbor/harbor
WEBgithub.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
WEBgithub.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw