Harbor fails to validate the user permissions when updating tag immutability policies

Main / Harbor fails to validate the user permissions when updating tag immutability policies

Discription

### Impact
Harbor fails to validate the user permissions when updating tag immutability policies – API call:

PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}

By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesnt have access to, the attacker could
modify tag immutability policies configured in other projects.

### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.

### Workarounds
There are no workarounds available.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)

### Credits
Thanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.Read More

References

Back to Main

Subscribe for the latest news: