CVE-2022-31671: 
Harbor vulnerability analysis and mitigation

Harbor, an open-source artifact registry by VMware, was found to contain a high-severity vulnerability (CVE-2022-31671) that fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. The vulnerability was discovered in 2022 and affects Harbor versions 2.0.0 through 2.4.2 and 2.5.0 through 2.5.1 (NVD, Harbor Advisory).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 7.4 (High). The attack vector is network-based, requires low attack complexity, and low privileges, with no user interaction needed. The vulnerability has a changed scope with low impact on confidentiality, integrity, and availability (NVD).

By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, malicious authenticated users could read all the job logs stored in the Harbor database. This represents a significant security breach in terms of unauthorized access to potentially sensitive information (Harbor Advisory).

The vulnerability has been patched in Harbor versions 2.4.3+ and 2.5.2+. Organizations are strongly advised to upgrade to these or later versions as soon as possible. No workarounds are available for this vulnerability (Harbor Advisory).

The vulnerability was discovered by security researchers Gal Goldstein and Daniel Abeles from Oxeye Security. It was part of a series of high-severity IDOR vulnerabilities found in the CNCF-graduated project Harbor (Help Net Security).