{"id":"CVE-2022-31670","details":"Harbor fails to validate the user permissions when updating tag retention policies. \n\nBy sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify\ntag retention policies configured in other projects.","aliases":["BIT-harbor-2022-31670","GHSA-3637-v6vq-xqqw"],"modified":"2026-04-10T04:47:57.647572Z","published":"2024-11-14T12:15:17.040Z","references":[{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/security/advisories/GHSA-3637-v6vq-xqqw"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/goharbor/harbor","events":[{"introduced":"0"},{"fixed":"563555c92f0d07c31e57c7129729742e9fb3b998"},{"introduced":"d0f3ddddab96f25b7c2de18e7aebf8f79c7b19cc"},{"fixed":"85ef1409cba206582b1b6947c888bdbe6d5747d3"},{"introduced":"98e1b82fbfcc0f1ab9673e0911ae937e6a6fca36"},{"fixed":"66882717920d0337f17a43d5450b6227ca98047e"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.10.13"},{"introduced":"2.0.0"},{"fixed":"2.4.3"},{"introduced":"2.5.0"},{"fixed":"2.5.2"}]}}],"versions":["0.1.0","0.1.1","0.3.0","0.3.5","0.3.5-rc","0.4.0","0.4.1","0.4.5","0.5.0","0.5.0-rc1","0.5.0-rc2","1.1.0-rc1","1.1.0-rc2","v1.1.0","v1.1.0-rc3","v1.10.0","v1.10.0-rc1","v1.10.0-rc2","v1.10.1","v1.10.1-rc1","v1.10.10","v1.10.10-rc1","v1.10.11","v1.10.11-rc1","v1.10.12","v1.10.12-rc1","v1.10.2","v1.10.2-rc1","v1.10.3","v1.10.3-rc1","v1.10.3-rc2","v1.10.4","v1.10.4-rc1","v1.10.5","v1.10.5-rc1","v1.10.6","v1.10.6-rc1","v1.10.7","v1.10.7-rc1","v1.10.8","v1.10.8-rc1","v1.10.9","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.3.0-rc1","v1.4.0-rc1","v1.4.0-rc2","v1.7.0-rc1","v2.0.0-rc1","v2.1.0-rc1","v2.1.0-tech-preview","v2.1.0-tech-prview","v2.2.0-rc1","v2.3.0-rc1","v2.3.0.-rc1","v2.4.0","v2.4.0-rc1","v2.4.0-rc2","v2.4.1","v2.4.1-rc1","v2.4.1-rc2","v2.4.2","v2.4.2-rc1","v2.5.0","v2.5.0-rc4","v2.5.1","v2.5.1-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"}]}