GMS-2022-4062: Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs

September 9, 2022

Harbor fails to validate the user permissions when reading job execution logs through the P2P preheat execution logs - API call GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs By sending a request that attempts to read P2P preheat execution logs and specifying different job ids, malicious authenticatedusers could read all the job logs stored in the Harbor database.

References

github.com/advisories/GHSA-q76q-q8hw-hmpw
github.com/goharbor/harbor/security/advisories/GHSA-q76q-q8hw-hmpw

Detect and mitigate GMS-2022-4062 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →