Plattform
go
Komponente
github.com/goharbor/harbor
Behoben in
<v2.9.5
<v2.10.3
2.9.5
2.9.5+incompatible
CVE-2024-22278 describes an authorization bypass vulnerability within Harbor, a popular open-source container registry. This flaw allows an attacker to modify project configurations without the necessary permissions, potentially granting them unauthorized access to sensitive data and control over the registry. The vulnerability impacts versions of Harbor prior to 2.9.5+incompatible, and a fix has been released.
The core of the vulnerability lies in Harbor’s insufficient validation of user permissions when updating project configurations. An attacker who can exploit this bypass can modify project settings, such as access control lists (ACLs) and replication policies. This could lead to unauthorized access to container images, the ability to push malicious images, and even complete control over the registry's functionality. The potential blast radius extends to any application or service relying on the compromised Harbor registry for container images, potentially impacting production environments and downstream systems. While no immediate precedent exists, a successful exploitation could mirror the impact of privilege escalation vulnerabilities in other container orchestration platforms.
CVE-2024-22278 was publicly disclosed on August 6, 2024. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation once a suitable attack vector is identified. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Harbor for container image storage and distribution are at significant risk. This includes DevOps teams, CI/CD pipelines, and any environment where containerized applications are deployed. Specifically, those using Harbor in multi-tenant environments or with complex RBAC configurations should prioritize patching.
• go / server:
journalctl -u harbor -f | grep -i 'permission denied'• generic web:
curl -I <harbor_url>/api/projects/<project_name> | grep -i '403 forbidden'disclosure
Exploit-Status
EPSS
0.18% (39% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-22278 is to upgrade Harbor to version 2.9.5+incompatible or later. If an immediate upgrade is not feasible due to compatibility concerns or ongoing maintenance windows, consider implementing stricter access controls and auditing project configuration changes. Regularly review Harbor's audit logs for any suspicious activity. While a direct WAF rule is unlikely to prevent this, implementing a proxy with robust authentication and authorization policies can add an extra layer of defense. After upgrading, confirm the fix by attempting to modify project configurations with a user account that should not have the necessary permissions; the operation should be denied.
Actualice Harbor a la versión 2.9.5 o superior, o a la versión 2.10.3 o superior. Esto corregirá la validación incorrecta de permisos de usuario al actualizar las configuraciones del proyecto. La actualización se puede realizar a través de la interfaz de usuario de Harbor o mediante la línea de comandos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-22278 is a medium-severity authorization bypass vulnerability in Harbor, allowing unauthorized modification of project configurations before upgrading to version 2.9.5+incompatible.
You are affected if you are running Harbor versions prior to 2.9.5+incompatible. Check your current version and upgrade immediately.
Upgrade Harbor to version 2.9.5+incompatible or later. Implement stricter RBAC policies as an interim measure.
There is currently no evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the official Harbor security advisory on their GitHub repository: [https://github.com/goharbor/harbor/security/advisories/GHSA-9999](https://github.com/goharbor/harbor/security/advisories/GHSA-9999)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.