7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31668

CVE-2022-31668: Harbor fails to validate the user permissions when updating p2p preheat policies

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31668

CVE-2022-31668:

7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/goharbor/harbor	go	>= 2.0.0, < 2.4.3	2.4.3
github.com/goharbor/harbor	go	>= 2.5.0, < 2.5.2	2.5.2
github.com/goharbor/harbor/src	go	< 0.0.0-20220630175814-b4ef1db	0.0.0-20220630175814-b4ef1db

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around missing authorization checks in the p2p preheat policy update flow. Based on: 1) The documented API endpoint PUT /projects/{project_name}/preheat/policies/{preheat_policy_name} 2) Standard Harbor architecture where controllers handle business logic and APIs expose endpoints 3) CWE-285 indicating missing authorization checks 4) The attack vector requiring policy ID manipulation without project access validation. The controller layer would typically handle policy retrieval/modification while the API layer handles request routing. Both layers would need proper authorization checks to prevent this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31668: Harbor fails to validate the user permissions when updating p2p preheat policies

CVE-2022-31668:

7.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.4

7.4

Technical Details

CVE-2022-31668: Harbor fails to validate the user permissions when updating p2p preheat policies

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI