Jay Chen

**Name of the Vulnerable Software and Affected Versions** Harbor versions prior to 2.9.5 Harbor versions prior to 2.10.3 **Description** The issue arises from incorrect user permission validation, allowing authenticated users with the maintainer role to modify configurations. This can be exploited through API calls such as PUT /projects/{project name or id}/metadatas/{meta name}, POST /projects/{project name or id}/metadatas/{meta name}, and DELETE /projects/{project name or id}/metadatas/{meta name}. The maintainer role, intended for individuals supporting project admins, can utilize the metadata API to circumvent configuration management limitations. However, the attacker must be authenticated and granted a specific project maintainer role, limiting their scope to that project. **Recommendations** For Harbor versions prior to 2.9.5, update to version 2.9.5 or later. For Harbor versions prior to 2.10.3, update to version 2.10.3 or later. As a temporary workaround, consider restricting access to the metadata API for users with the maintainer role until a patch is available.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "POST /secretaries" endpoint allows a low-privileged user to create a low-privileged user (secretary) in the system, resulting in unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "POST /admins" endpoint allows a low-privileged user to create a high-privileged user (admin) in the system, resulting in privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "POST /providers" endpoint allows a low-privileged user to create a privileged user (provider) in the system, resulting in privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** A BOLA vulnerability in the "POST /services" endpoint allows a low-privileged user to create a service for any user in the system, including admin, resulting in unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "POST /customers" endpoint allows a low-privileged user to create a new low-privileged user (customer) in the system, resulting in unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /categories/{categoryId}" endpoint allows a low-privileged user to fetch, modify, or delete the category of any user, including admin. This results in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software name or affected versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /providers/{providerId}" endpoint allows a low-privileged user to fetch, modify, or delete a privileged user (provider), resulting in unauthorized access and unauthorized data manipulation. The `providerId` variable is used in this vulnerable endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software name or affected versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /appointments/{appointmentId}" endpoint allows a low-privileged user to fetch, modify, or delete an appointment of any user, including admins. This results in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /webhooks/{webhookId}" endpoint allows a low-privileged user to fetch, modify, or delete a webhook of any user, including admin. This results in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /secretaries/{secretaryId}" endpoint allows a low-privileged user to fetch, modify, or delete a low-privileged user (secretary), resulting in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the API endpoints "GET, PUT, DELETE /admins/{adminId}" allows a low-privileged user to fetch, modify, or delete a high-privileged user (admin), resulting in unauthorized access and unauthorized data manipulation. The `adminId` variable is used in these endpoints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in GET, PUT, DELETE "/settings/{settingName}" allows a low privileged user to fetch, modify or delete the settings of any user, including admin. This results in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /customers/{customerId}" endpoint allows a low-privileged user to fetch, modify, or delete a customer, resulting in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software name or affected versions are mentioned in the provided descriptions. **Description** A BOLA vulnerability in the "GET, PUT, DELETE /services/{serviceId}" endpoint allows a low-privileged user to fetch, modify, or delete the services of any user, including admin. This results in unauthorized access and unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** A BOLA vulnerability in the "POST /appointments" endpoint allows a low-privileged user to create an appointment for any user in the system, including administrators. This results in unauthorized data manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "POST /appointments" endpoint to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grafana versions 9.5.0 through 9.5.17 Grafana versions 10.0.0 through 10.0.12 Grafana versions 10.1.0 through 10.1.8 Grafana versions 10.2.0 through 10.2.5 Grafana versions 10.3.0 through 10.3.4 **Description** The issue is related to a Broken Object-Level Authorization (BOLA) vulnerability, which allows low-privileged users to delete dashboard snapshots belonging to other organizations using the snapshot's key. This can be done by issuing a DELETE request to the `/api/snapshots/<key>` endpoint. The vulnerability is caused by a bug in the authorization logic, which treats deletion requests from unprivileged users in different organizations as authorized. Technical details about exploitation include: - **API Endpoint:** `/api/snapshots/<key>` - **Vulnerable Parameter or Variable:** `key` - The attacker must know the `key` of a snapshot to exploit this vulnerability. The `key` can be discovered in various ways, such as being displayed in plain text in the URL of a snapshot or being guessed through brute-force attacks due to a lack of complexity requirements. **Recommendations** To resolve the issue for each affected version, update to the respective fixed version or later: - For versions 9.5.0 through 9.5.17, update to version 9.5.18 or later. - For versions 10.0.0 through 10.0.12, update to version 10.0.13 or later. - For versions 10.1.0 through 10.1.8, update to version 10.1.9 or later. - For versions 10.2.0 through 10.2.5, update to version 10.2.6 or later. - For versions 10.3.0 through 10.3.4, update to version 10.3.5 or later. As a temporary workaround, consider restricting access to the `/api/snapshots/<key>` endpoint to minimize the risk of exploitation.