CVE-2022-31670
📋 TL;DR
This vulnerability allows authenticated Harbor users to modify tag retention policies in projects they shouldn't have access to. Attackers can exploit improper permission validation to alter retention rules in other projects, potentially causing data loss or disruption. All Harbor deployments with multiple projects and user accounts are affected.
💻 Affected Systems
- Harbor
📦 What is this software?
Harbor by Linuxfoundation
Harbor by Linuxfoundation
Harbor by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised account could delete or modify retention policies across all projects, causing permanent data loss, compliance violations, and service disruption.
Likely Case
Unauthorized modification of retention policies leading to premature deletion of container images, disrupting development pipelines and causing operational issues.
If Mitigated
Limited to authenticated users only, with proper network segmentation and monitoring catching unauthorized policy changes before significant damage.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward - sending crafted API requests to modify retention policies with unauthorized project IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.2 and later
Vendor Advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw
Restart Required: Yes
Instructions:
1. Backup Harbor configuration and database. 2. Upgrade to Harbor 2.5.2 or later. 3. Restart Harbor services. 4. Verify permissions are properly enforced.
🔧 Temporary Workarounds
Restrict API Access
linuxImplement network controls to restrict access to Harbor API endpoints from unauthorized users.
iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Temporary Permission Review
allAudit and temporarily restrict user permissions to only necessary project access.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Harbor from untrusted networks
- Enable detailed audit logging for all tag retention policy changes and monitor for unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check Harbor version: if version < 2.5.2, system is vulnerable. Test by attempting to modify retention policy for project where user lacks permissions.Check Version:
docker exec harbor-core cat /harbor/VERSIONVerify Fix Applied:
After patching, attempt to modify retention policy for unauthorized project - request should be rejected with permission error.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API requests to /api/v2.0/retentions/* endpoints
- Retention policy modifications from users not in project member list
- HTTP 200 responses for retention updates on unauthorized projects
Network Indicators:
- POST/PUT requests to retention API endpoints with project IDs not associated with authenticated user
- Unusual pattern of retention policy modifications
SIEM Query:
source="harbor" AND (uri_path="/api/v2.0/retentions/*" AND http_method IN ("PUT", "POST")) | stats count by user, project_id