CVE-2022-31669

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.5.2

Description The issue arises from Harbor's failure to validate user permissions when updating tag immutability policies. This can be exploited by sending a request to update a tag immutability policy with an id belonging to a project that the currently authenticated user doesn’t have access to, allowing the attacker to modify tag immutability policies configured in other projects. The API endpoint PUT /projects/{project name or id}/immutabletagrules/{immutable rule id} is involved in this issue.

Recommendations For Harbor versions prior to 2.5.2, upgrade to Harbor v2.5.2 or later as soon as possible to fix the issue. As a temporary workaround, consider restricting access to the PUT /projects/{project name or id}/immutabletagrules/{immutable rule id} API endpoint to minimize the risk of exploitation.