CVE-2024-22278

Name of the Vulnerable Software and Affected Versions Harbor versions prior to 2.9.5 Harbor versions prior to 2.10.3

Description The issue arises from incorrect user permission validation, allowing authenticated users with the maintainer role to modify configurations. This can be exploited through API calls such as PUT /projects/{project name or id}/metadatas/{meta name}, POST /projects/{project name or id}/metadatas/{meta name}, and DELETE /projects/{project name or id}/metadatas/{meta name}. The maintainer role, intended for individuals supporting project admins, can utilize the metadata API to circumvent configuration management limitations. However, the attacker must be authenticated and granted a specific project maintainer role, limiting their scope to that project.

Recommendations For Harbor versions prior to 2.9.5, update to version 2.9.5 or later. For Harbor versions prior to 2.10.3, update to version 2.10.3 or later. As a temporary workaround, consider restricting access to the metadata API for users with the maintainer role until a patch is available.