CVE-2022-31667 – This vulnerability in Harbor allows authenticat... (How to Fix)

Q: What is the severity of CVE-2022-31667?

CVE-2022-31667 has a CVSS score of 6.4 (MEDIUM). This vulnerability in Harbor allows authenticated users to revoke robot account permissions belonging to projects they don't have access to. Attackers with valid credentials can disrupt automated workflows by disabling robot accounts. Organizations using Harbor for container registry management are affected.

📋 TL;DR

This vulnerability in Harbor allows authenticated users to revoke robot account permissions belonging to projects they don't have access to. Attackers with valid credentials can disrupt automated workflows by disabling robot accounts. Organizations using Harbor for container registry management are affected.

💻 Affected Systems

Products:

Harbor

Versions: All versions before 2.5.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Harbor deployments with robot accounts are vulnerable by default.

📦 What is this software?

Harbor by Linuxfoundation

View all CVEs affecting Harbor →

Harbor by Linuxfoundation

View all CVEs affecting Harbor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious insider or compromised account could systematically disable all robot accounts, causing widespread CI/CD pipeline failures and service disruptions.

🟠

Likely Case

Accidental or targeted disruption of specific robot accounts leading to broken automated deployments and operational impact.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though unauthorized permission changes could still occur.

🌐 Internet-Facing: MEDIUM - Requires authentication but internet-facing Harbor instances are exposed to credential-based attacks.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of robot account IDs/names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.2 and later

Vendor Advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f

Restart Required: Yes

Instructions:

1. Backup Harbor configuration and database. 2. Upgrade to Harbor 2.5.2 or later. 3. Restart Harbor services. 4. Verify robot account functionality.

🔧 Temporary Workarounds

Restrict Robot Account Management

all

Limit which users can manage robot accounts through RBAC policies

Network Segmentation

all

Restrict access to Harbor API endpoints to trusted networks only

🧯 If You Can't Patch

Implement strict access controls and monitor all robot account modification attempts
Regularly audit robot account permissions and maintain backups of critical accounts

🔍 How to Verify

Check if Vulnerable:

Check Harbor version via web UI or API. Versions below 2.5.2 are vulnerable.

Check Version:

curl -k https://<harbor-host>/api/v2.0/systeminfo | grep harbor_version

Verify Fix Applied:

After upgrading to 2.5.2+, attempt to update a robot account from a project you don't have access to - this should fail with proper authorization error.

📡 Detection & Monitoring

Log Indicators:

Unauthorized PUT requests to /api/v2.0/projects/*/robots/* endpoints
Failed authorization attempts for robot account modifications

Network Indicators:

Unusual patterns of robot account API calls from single user
Multiple robot account permission changes in short time

SIEM Query:

source="harbor" AND (uri_path="/api/v2.0/projects/*/robots/*" AND http_method="PUT") AND response_code=200

📊 Metadata

CVE ID: CVE-2022-31667

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

CWE: CWE-285

Published: November 14, 2024

Last Updated: November 19, 2024

🔗 References

https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31667, you might also want to check these: