{"id":"CVE-2022-31668","summary":"User permission validation failure and disclosure of P2P preheat execution logs","details":"Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.","aliases":["BIT-harbor-2022-31668","GHSA-3wpx-625q-22j7","GHSA-r864-28pw-8682","GO-2024-3268"],"modified":"2026-05-28T04:08:45.471909193Z","published":"2024-11-14T11:56:31.043Z","related":["openSUSE-SU-2024:14599-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31668.json","unresolved_ranges":[{"extracted_events":[{"last_affected":"Harbor (Go) 2.x\u003c=2.4.2; 2.5\u003c=2.5.1"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"vmware","cwe_ids":["CWE-285"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31668.json"},{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31668"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/goharbor/harbor","events":[{"introduced":"d0f3ddddab96f25b7c2de18e7aebf8f79c7b19cc"},{"fixed":"85ef1409cba206582b1b6947c888bdbe6d5747d3"},{"introduced":"98e1b82fbfcc0f1ab9673e0911ae937e6a6fca36"},{"fixed":"66882717920d0337f17a43d5450b6227ca98047e"}],"database_specific":{"cpe":"cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.4.3"},{"introduced":"2.5.0"},{"fixed":"2.5.2"}]}}],"versions":["v2.5.1-rc1","v2.5.1","v2.5.0-rc4","v2.5.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31668.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"}]}