CVE-2025-30086

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-30086

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30086.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30086

Aliases

Published

2025-07-25T15:15:26.347Z

Modified

2026-03-12T20:15:57.363700Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

References

Affected packages

Git / github.com/goharbor/harbor

Affected ranges

Type

GIT

Repo

https://github.com/goharbor/harbor

Events

Introduced

db1569ae20cc4bc1e57f94d72c955b04db8deeb6

Fixed

9384ed0e47b0741425dd3d2aa23f1e0ab262eaf4

Introduced

9da38ae048a186acb022683b38bdea27dcf030e0

Fixed

6b4981d4dd46a20481be5a3a7cdf435bc20f4dcb

Database specific

{
    "versions": [
        {
            "introduced": "2.13.x"
        },
        {
            "fixed": "2.13.1"
        },
        {
            "introduced": "2.12.x"
        },
        {
            "fixed": "2.12.4"
        }
    ]
}

Affected versions

v2.*

v2.12.0

v2.12.0-rc2

v2.12.1

v2.12.1-rc1

v2.12.1-rc2

v2.12.1-rc3

v2.12.2

v2.12.2-rc1

v2.12.2-rc2

v2.12.3

v2.12.3-rc1

v2.12.3-rc2

v2.13.0

v2.13.0-rc2

v2.13.1-rc1

v2.13.1-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30086.json"