data/reports: add GO-2024-3268

tatianab · tatianab · commit 71faa815ab90 · 2024-12-12T07:46:43.000-08:00
- data/reports/GO-2024-3268.yaml Fixes #3268 Change-Id: Ibc2c4cfb65aadcf23181459b802bd3ea136785e3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635224 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2024-3268.json b/data/osv/GO-2024-3268.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-3268",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-31668",
+    "GHSA-r864-28pw-8682"
+  ],
+  "summary": "Harbor fails to validate the user permissions when updating p2p preheat policies in github.com/goharbor/harbor",
+  "details": "Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/goharbor/harbor",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.0.0+incompatible"
+            },
+            {
+              "fixed": "2.4.3+incompatible"
+            },
+            {
+              "introduced": "2.5.0+incompatible"
+            },
+            {
+              "fixed": "2.5.2+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Gal Goldstein (Oxeye Security)"
+    },
+    {
+      "name": "Daniel Abeles (Oxeye Security)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-3268",
+    "review_status": "REVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-3268.yaml b/data/reports/GO-2024-3268.yaml
@@ -0,0 +1,28 @@
+id: GO-2024-3268
+modules:
+    - module: github.com/goharbor/harbor
+      versions:
+        - introduced: 2.0.0+incompatible
+        - fixed: 2.4.3+incompatible
+        - introduced: 2.5.0+incompatible
+        - fixed: 2.5.2+incompatible
+      vulnerable_at: 2.5.2-rc1+incompatible
+summary: Harbor fails to validate the user permissions when updating p2p preheat policies in github.com/goharbor/harbor
+description: |-
+    Harbor fails to validate the user permissions when updating p2p preheat
+    policies. By sending a request to update a p2p preheat policy with an id that
+    belongs to a project that the currently authenticated user doesn't have access
+    to, the attacker could modify p2p preheat policies configured in other projects.
+cves:
+    - CVE-2022-31668
+ghsas:
+    - GHSA-r864-28pw-8682
+credits:
+    - Gal Goldstein (Oxeye Security)
+    - Daniel Abeles (Oxeye Security)
+references:
+    - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
+source:
+    id: GHSA-r864-28pw-8682
+    created: 2024-12-11T16:27:13.919736-05:00
+review_status: REVIEWED
