CVE-2022-31666: Harbor fails to validate the user permissions when viewing Webhook policies
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24648%
CWE
Published
9/16/2022
Updated
11/14/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/goharbor/harbor | go | >= 1.0.0, <= 1.10.12 | 1.10.13 |
github.com/goharbor/harbor | go | >= 2.0.0, <= 2.4.2 | 2.4.3 |
github.com/goharbor/harbor | go | >= 2.5.0, <= 2.5.1 | 2.5.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper authorization checks when retrieving webhook policies via a specific API endpoint. The handler function for this endpoint (likely GetWebhookPolicy
in project.go) did not verify if the requesting user had access rights to the project linked to the webhook policy ID parameter. This matches the CWE-285 pattern where authorization checks are missing, and aligns with the described attack vector where manipulating policy IDs exposes unauthorized projects. The high confidence comes from the direct correlation between the documented API endpoint and the standard Harbor
project/webhook controller structure.