CVE-2022-31671

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.5.2

Description The issue arises from Harbor's failure to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request to read or update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. This can be achieved by sending a request to the "GET /projects/{project name}/preheat/policies/{preheat policy name}/executions/{execution id}/tasks/{task id}/logs" API endpoint.

Recommendations For Harbor versions prior to 2.5.2, upgrade to Harbor v2.5.2 or later as soon as possible to fix the issue. As a temporary workaround, consider restricting access to the "GET /projects/{project name}/preheat/policies/{preheat policy name}/executions/{execution id}/tasks/{task id}/logs" API endpoint to minimize the risk of exploitation.