CVE-2022-31666

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.5.2

Description The issue allows malicious users to view, update, and delete Webhook policies of other users due to a failure in validating user permissions. This can be exploited through the API endpoint "GET /projects/{project name or id}/webhook/policies/{webhook policy id}" by specifying different Webhook policy IDs. The attacker could modify Webhook policies configured in other projects.

Recommendations For Harbor versions prior to 2.5.2, upgrade to Harbor v2.5.2 or later as soon as possible. As a temporary workaround, consider restricting access to the API endpoint "GET /projects/{project name or id}/webhook/policies/{webhook policy id}" to minimize the risk of exploitation.