23 matches found
CVE-2020-29662
CVE-2020-29662 affects Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2, where the catalog’s registry API is exposed on an unauthenticated path (e.g., GET /v2/_catalog). This can allow information disclosure via an unauthenticated call. Patches are available: upgrade to Harbor v2.0.5 or v2.1.2. If ...
CVE-2022-31666
Harbor vulnerability CVE-2022-31666 involves failure to validate user permissions when managing Webhook policies. The issue allows authenticated users to view, update, or delete Webhook policies belonging to other users or projects, potentially enabling modification of policies configured in othe...
CVE-2022-31670
CVE-2022-31670 concerns Harbor’s authorization for updating tag retention policies. Several sources describe a flaw where an authenticated user can send an update request for a retention policy id belonging to a project they should not access, allowing modification of policies in other projects. ...
CVE-2022-31671
Harbor (open source registry) contains an authorization issue in the P2P preheat execution logs: authenticated users could read all job logs by requesting different job IDs, indicating a permissions validation failure when reading/updating logs. The CVE entry is corroborated by multiple feeds (GH...
CVE-2022-31669
Harbor (the open‑source registry) contains an authorization flaw in its tag immutability policy API. The vulnerability occurs when updating a tag immutability policy, where a request may specify a policy in a project the authenticated user cannot access, enabling modification of policies in other...
CVE-2022-46463
CVE-2022-46463 describes an access-control issue in Harbor where Harbor v1.X.X through v2.5.3 allows access to both public and private image repositories without authentication. The vulnerability is described consistently across NVD/OSV/Nuclei sources as an unauthorized access flaw (CWE-306) with...
CVE-2022-31667
Harbor (the Harbor registry) is affected by CVE-2022-31667 due to improper authorization when updating a robot account. The issue occurs when a request to update a robot account specifies an account and name belonging to a project the authenticated user cannot access, allowing an attacker to revo...
CVE-2019-16097
Harbor up to version 1.8.2 is affected by CVE-2019-16097: core/api/user.go allows non-admin users to create admin accounts via POST /api/users when Harbor uses DB as the authentication backend and self-registration is enabled. Impact is privilege escalation to administrator as described in multip...
CVE-2019-16919
Harbor/CNCF Harbor API contains a Broken Access Control vulnerability (CVE-2019-16919). It can allow a project administrator to create a robot account with unauthorized push/pull permissions in a project they should not control. Affected components include Harbor API within Harbor Container Regis...
CVE-2023-20902
CVE-2023-20902 affects Harbor up to specific older branches: 2.6.x and below, 2.7.2 and below, 2.8.2 and below, and 1.10.17 and below. A timing condition in Harbor permits a remote attacker (network access) to create or stop job tasks and to retrieve job task information. No public details beyond...
CVE-2019-19025
CVE-2019-19025 affects Cloud Native Computing Foundation Harbor prior to versions 1.8.6 and 1.9.3, where the Harbor web interface is vulnerable to Cross-site Request Forgery (CSRF) in the VMware Harbor Container Registry for the Pivotal Platform. The root cause is CSRF protection gaps in the Harb...
CVE-2019-19029
CVE-2019-19029 affects Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3, enabling SQL Injection via the user-groups feature in the VMware Harbor Container Registry for the Pivotal Platform. The issue is documented with CVSS 3.1/2.0 vectors (high impact on confidentiality, integri...
CVE-2019-19023
The CVE-2019-19023 entry affects Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3, describing a Privilege Escalation vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. The connected records confirm affected versions and root cause as a privilege escal...
CVE-2019-19026
CVE-2019-19026 affects Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3, where a SQL Injection vulnerability can be exploited via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. Root cause: handling of project quotas allows injection attempts. Imp...
CVE-2024-22261
Harbor (scan log API) is affected by a SQL Injection vulnerability described across OSV-BIT-HARBOR-2024-22261 and NVD CVE-2024-22261. The issue arises in the Harbor scan log API where privileged users (administrator, project_admin, project_maintainer) can trigger arbitrary SQL execution to leak t...
CVE-2019-19030
The CVE-2019-19030 issue affects Harbor (Cloud Native Computing Foundation Harbor) prior to 1.10.3 and 2.x prior to 2.0.1. Root cause: unauthenticated API calls allow resource existence checks, enabling resource enumeration via HTTP status responses. Impact: information disclosure by revealing wh...
CVE-2024-22278
CVE-2024-22278 concerns Harbor where incorrect user permission validation in Harbor <v2.9.5 and Harbor
CVE-2022-31668
Harbor (github.com/goharbor/harbor) is affected by CVE-2022-31668 due to improper permission validation when updating p2p preheat policies. A request to update a policy with an id belonging to a project the authenticated user cannot access could allow modification of p2p preheat policies in other...
CVE-2019-3990
Affected product: Harbor (Open Source Harbor registry). Vulnerability: User enumeration via the "/users" API endpoint, which should be administrator-restricted, can be bypassed. Information about registered users can be obtained through the "+search" functionality. Root cause / nature (as describ...
CVE-2020-13788
Harbor (goHarbor) prior to 2.0.1 is affected by a limited SSRF vulnerability (CVE-2020-13788). If a user with project-edit permissions can access the API endpoint used to test a project webhook, they can scan TCP ports on hosts inside Harbor’s intranet. The root cause is a vulnerable “Test Endpoi...
CVE-2024-22244
CVE-2024-22244 affects Harbor open‑redirect in versions ≤ v2.8.4, ≤ v2.9.2, and ≤ v2.10.0. Connected sources describe the vulnerability as an open redirect risk, linked to insufficient validation of the redirect_url parameter in OIDC authentication flows. Core details include the affected product...
CVE-2020-13794
CVE-2020-13794 affects Harbor 1.9., 1.10. and 2.0.*, enabling exposure of sensitive information via user enumeration. Publicly cited detail shows an authenticated user can enumerate usernames via the /api/users/search endpoint (curl example and _ parameter usage), bypassing admin restrictions. Th...
CVE-2017-17697
Harbor (ui/api/target.go) has an SSRF vulnerability in Ping() via the endpoint parameter to /api/targets/ping, affecting Harbor up to 1.3.0-rc4. Several connected sources confirm the issue and describe exploitation path leading to information disclosure; a remediation cited in Snyk is to upgrade ...