CVE-2022-31667 Information

Description

Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. 

By sending a request that attempts to update a robot account and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to it was possible to revoke the robot account permissions.

Reference

https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f