CVE-2024-22278 - Harbor fails to validate the user permissions when updating project configurations
search cancel

CVE-2024-22278 - Harbor fails to validate the user permissions when updating project configurations

book

Article ID: 423547

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Management

Issue/Introduction

Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call:

PUT /projects/{project_name_or_id}/metadatas/{meta_name}
POST /projects/{project_name_or_id}/metadatas/{meta_name}
DELETE /projects/{project_name_or_id}/metadatas/{meta_name}

Environment

Harbor version: Versions below v2.9.5 and  v2.10.3

Resolution

This vulnerability has been addressed and fixed in v2.9.5, v2.10.3, v2.11.0 

Powered by Wolken Software