CVE-2022-31671

>= 2.0.0 and < 2.4.3

Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By

7.4HIGH

CVE-2022-31670

>= 1.0.0 and < 1.10.13

Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retent

7.7HIGH

CVE-2022-31669

>= 2.0.0 and < 2.4.3

Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag imm

6.4MEDIUM

CVE-2022-31668

>= 2.0.0 and < 2.4.3

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat po

7.4HIGH

CVE-2022-31667

>= 2.0.0 and < 2.4.3

Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user

6.4MEDIUM

CVE-2022-31666

>= 2.0.0 and < 2.4.3

Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Web

7.7HIGH

CVE-2024-22278

< 2.9.5

Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.

6.4MEDIUM

CVE-2024-22261

>= 2.8.1 and < 2.8.6

SQL-Injection in Harbor allows priviledge users to leak the task IDs

2.7LOW

CVE-2024-22244

>= 2.8.0 and < 2.8.5

Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.

4.3MEDIUM

CVE-2023-20902

< 1.10.17

A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allow

5.9MEDIUM

CVE-2022-46463

>= 1.1.0 and <= 2.5.3

An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authen

7.5HIGH

CVE-2019-19030

< 1.10.3

Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated AP

5.3MEDIUM

CVE-2020-29662

>= 2.0 and < 2.0.5

In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.

5.3MEDIUM

CVE-2020-13794

>= 1.9.0 and < 2.0.3

Harbor 1.9. 1.10. and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.

4.3MEDIUM

CVE-2020-13788

< 2.0.1

Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts acce

4.3MEDIUM

CVE-2019-19029

>= 1.7.0 and < 1.8.6

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Contai

7.2HIGH

CVE-2019-19026

>= 1.7.0 and < 1.8.6

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Con

4.9MEDIUM

CVE-2019-19025

>= 1.7.0 and < 1.8.6

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivo

8.8HIGH

CVE-2019-19023

>= 1.7.0 and < 1.8.6

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Co

8.8HIGH

CVE-2019-3990

>= 1.7.0 and <= 1.7.6

A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restr

4.3MEDIUM

CVE-2019-16919

>= 1.8.0 and <= 1.8.3

Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to cre

7.5HIGH

CVE-2019-16097

all versions

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when H

6.5MEDIUM

CVE-2017-17697

< 1.3.0

The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.

8.6HIGH