CVE-2022-31667

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.5.2

Description The issue arises from the failure to validate user permissions when updating a robot account that belongs to a project the authenticated user doesn’t have access to. By sending a request to update a robot account and specifying a robot account id and robot account name that belongs to a different project, it was possible to revoke the robot account permissions. This can be achieved through the API endpoint "PUT /robots/{robot id}" by specifying the robot id of a robot account in a project the user doesn’t have access to.

Recommendations For Harbor versions prior to 2.5.2, upgrade to Harbor v2.5.2 or later as soon as possible to fix the issue. As a temporary workaround, consider restricting access to the "PUT /robots/{robot id}" API endpoint to prevent unauthorized updates to robot accounts until the issue is resolved.