CVE-2022-31666: 
Harbor vulnerability analysis and mitigation

Harbor, an open-source artifact registry by VMware, was found to contain a high-severity vulnerability (CVE-2022-31666) that fails to validate user permissions while deleting Webhook policies. This vulnerability allows malicious users to view, update, and delete Webhook policies of other users, potentially affecting systems running Harbor versions 1.0 through 1.10.12, 2.0 through 2.4.2, and 2.5 through 2.5.1 (VMware Advisory).

The vulnerability exists in the API endpoint PUT /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}. The core issue stems from Harbor's improper authorization checks, where it only validates that the requesting user has access to the project ID specified in the request but fails to verify if the requested webhook ID belongs to the specified project ID. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD, VMware Advisory).

The vulnerability enables attackers to modify Webhook policies configured in other projects, potentially compromising the security of the Harbor deployment. This could lead to unauthorized access to project configurations and potential manipulation of webhook notifications for repository events (Help Net Security).

The vulnerability has been patched in Harbor versions 2.4.3+ and 2.5.2+. Users are strongly advised to upgrade to these or later versions as soon as possible. No workarounds are available for this vulnerability (VMware Advisory).

The vulnerability was discovered and reported by security researchers Gal Goldstein and Daniel Abeles from Oxeye Security. It was part of a series of high-severity IDOR vulnerabilities found in the CNCF-graduated project Harbor (Help Net Security).