Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31668.json",
"cna_assigner": "vmware",
"cwe_ids": [
"CWE-285"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1"
},
{
"last_affected": "Harbor (Go) 2.x<=2.4.2; 2.5<=2.5.1"
}
],
"source": "AFFECTED_FIELD"
}
]
}