logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-22261 github.com/goharbor/harbor

Package

Manager: go
Name: github.com/goharbor/harbor
Vulnerable Version: >=0 <2.8.6 || >=2.9.0 <2.9.4 || >=2.10.0 <2.10.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00272 pctl0.50307

Details

SQL Injection in Harbor scan log API ### Impact A user with an administrator, project_admin, or project_maintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API: ``` GET /api/v2.0/projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log ``` The SQL injection might happen in the code: https://github.com/goharbor/harbor/blob/9b7c1a2274fbc5ea16e19a484532f86c08926577/src/pkg/task/task.go#L241 Because raw SQL executed in ormer.Raw(Sql).QueryRows() is PrepareStatement. In the driver of Postgres, one PrepareStatement must contain only ONE SQL command, see https://www.postgresql.org/docs/15/libpq-exec.html#LIBPQ-PQPREPARE. The SQL should start with: ``` SELECT * FROM task WHERE extra_attrs::jsonb->'report_uuids' @> ``` Adding a delete/update operation by appending malicious content to the current SQL is impossible. Furthermore, the query result of the task is just an intermediate result, the task ID is used to locate the job log file, and the response only contains the content of the job log file. so this vulnerability can be used to execute SQL functions, but it can't leak any useful information to the response. Harbor >=v2.8.1, >=2.9.0, >=2.10.0 are impacted. ### Patches Harbor v2.8.6, v2.9.4, v2.10.2 fixes this issue. ### Workarounds There is no workaround for this issue. ### Credits Thanks Taisei Inoue ([taisei.inoue@gmo-cybersecurity.com](mailto:taisei.inoue@gmo-cybersecurity.com))

Metadata

Created: 2024-06-02T22:32:40Z
Modified: 2024-06-17T15:14:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-vw63-824v-qf2j/GHSA-vw63-824v-qf2j.json
CWE IDs: ["CWE-566"]
Alternative ID: GHSA-vw63-824v-qf2j
Finding: F316
Auto approve: 1