CVE-2022-31670

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.5.2

Description Harbor fails to validate user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag retention policies configured in other projects. This can be achieved by sending a request to the "PUT /retentions/{id}" API endpoint.

Recommendations For Harbor versions prior to 2.5.2, update to version 2.5.2 or later to secure your system. As a temporary workaround, consider restricting access to the "PUT /retentions/{id}" API endpoint until a patch is applied. Avoid using the id parameter in the affected API endpoint with projects that the currently authenticated user doesn’t have access to, until the issue is resolved.