Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3637-v6vq-xqqw

GitHub Security Advisory

Harbor fails to validate the user permissions when updating tag retention policies

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
Harbor fails to validate the user permissions when updating tag retention policies. API call:

PUT /retentions/{id}

By sending a request to update a tag retention policy with an id that belongs to a project
that the currently authenticated user doesn’t have access to, the attacker could modify
tag retention policies configured in other projects.

### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.

### Workarounds
There are no workarounds available.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)

### Credits
Thanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.

Affected Packages

Go github.com/goharbor/harbor
Affected versions: 1.0.0 (fixed in 1.10.13)
Go github.com/goharbor/harbor
Affected versions: 2.0.0 (fixed in 2.4.3)
Go github.com/goharbor/harbor
Affected versions: 2.5.0 (fixed in 2.5.2)

Related CVEs

CVE-2022-31670

Key Information

GHSA ID
GHSA-3637-v6vq-xqqw
Published
September 16, 2022 7:29 PM
Last Modified
November 19, 2024 4:24 PM
CVSS Score
7.5 /10
Primary Ecosystem
Go
Primary Package
github.com/goharbor/harbor
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.