CVE-2024-22261

Name of the Vulnerable Software and Affected Versions Harbor versions 2.8.1 through 2.8.5 Harbor versions 2.9.0 through 2.9.3 Harbor versions 2.10.0 through 2.10.1

Description A SQL Injection issue allows users with administrator, project admin, or project maintainer roles to execute any Postgres function through the API endpoint GET /api/v2.0/projects/{project name}/repositories/{repository name}/artifacts/{reference}/scan/{report id}/log. However, this vulnerability cannot be used to leak useful information to the response, as the query result of the task is just an intermediate result used to locate the job log file. The issue arises from raw SQL execution in the code, specifically in the task.go file.

Recommendations For Harbor versions 2.8.1 through 2.8.5, update to version 2.8.6 to fix the issue. For Harbor versions 2.9.0 through 2.9.3, update to version 2.9.4 to fix the issue. For Harbor versions 2.10.0 through 2.10.1, update to version 2.10.2 to fix the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint until a patch is applied.