{"id":"GO-2024-3268","summary":"Harbor fails to validate the user permissions when updating p2p preheat policies in github.com/goharbor/harbor","details":"Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.","aliases":["BIT-harbor-2022-31668","CVE-2022-31668","GHSA-3wpx-625q-22j7","GHSA-r864-28pw-8682"],"modified":"2026-03-03T04:56:01.887693Z","published":"2024-12-12T15:46:43Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-3268","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7"}],"affected":[{"package":{"name":"github.com/goharbor/harbor","ecosystem":"Go","purl":"pkg:golang/github.com/goharbor/harbor"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0+incompatible"},{"fixed":"2.4.3+incompatible"},{"introduced":"2.5.0+incompatible"},{"fixed":"2.5.2+incompatible"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-3268.json"}}],"schema_version":"1.7.3","credits":[{"name":"Gal Goldstein (Oxeye Security)"},{"name":"Daniel Abeles (Oxeye Security)"}]}