Miggo Logo

CVE-2022-31666: Harbor fails to validate the user permissions when viewing Webhook policies

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.24648%
Published
9/16/2022
Updated
11/14/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/goharbor/harborgo>= 1.0.0, <= 1.10.121.10.13
github.com/goharbor/harborgo>= 2.0.0, <= 2.4.22.4.3
github.com/goharbor/harborgo>= 2.5.0, <= 2.5.12.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization checks when retrieving webhook policies via a specific API endpoint. The handler function for this endpoint (likely GetWebhookPolicy in project.go) did not verify if the requesting user had access rights to the project linked to the webhook policy ID parameter. This matches the CWE-285 pattern where authorization checks are missing, and aligns with the described attack vector where manipulating policy IDs exposes unauthorized projects. The high confidence comes from the direct correlation between the documented API endpoint and the standard Harbor project/webhook controller structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **r*or **ils to v*li**t* t** us*r p*rmissions to vi*w W***ook poli*i*s in*lu*in* r*l*v*nt *r***nti*ls *on*i*ur** in *i***r*nt proj**ts t** us*r *o*sn’t **v* ****ss to, r*sultin* in m*li*ious us*rs **in* **l* to r*** W***ook poli*i*s o* ot*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion ****ks w**n r*tri*vin* w***ook poli*i*s vi* * sp**i*i* *PI *n*point. T** **n*l*r *un*tion *or t*is *n*point (lik*ly `**tW***ookPoli*y` in proj**t.*o) *i* not v*ri*y i* t** r*qu*stin* us*r *** ****ss