github.com/goharbor/harbor
Go21 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/goharbor/harborpage 1 of 1
- CVE-2019-16097MEDIUMCVSS 6.5EG 9.0✓ Fixed in 1.9.0-rc12019-09-08
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.…
- CVE-2019-19023HIGHCVSS 8.8EG 8.8✓ Fixed in 1.9.32020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19025HIGHCVSS 8.8EG 8.8✓ Fixed in 1.9.32020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19026MEDIUMCVSS 4.9EG 4.9✓ Fixed in 1.9.32020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19029HIGHCVSS 7.2EG 7.2✓ Fixed in 1.9.32020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19030MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.1+incompatible2022-12-26
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
- CVE-2020-13788MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.0.1+incompatible2020-07-15
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
- CVE-2020-13794MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.0.3+incompatible2020-09-30
Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor.
- CVE-2020-29662MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.1.2+incompatible2021-02-02
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
- CVE-2022-31666HIGHCVSS 7.7EG 7.7✓ Fixed in 2.5.22024-11-14
Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects.
- CVE-2022-31667MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2.5.22024-11-14
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a …
- CVE-2022-31668HIGHCVSS 7.4EG 7.4✓ Fixed in 2.5.2+incompatible2024-11-14
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the a…
- CVE-2022-31669MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2.5.22024-11-14
Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have ac…
- CVE-2022-31670HIGHCVSS 7.7EG 7.7✓ Fixed in 2.5.22024-11-14
Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access …
- CVE-2022-31671HIGHCVSS 7.4EG 7.4✓ Fixed in 2.5.22024-11-14
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, m…
- CVE-2023-20902MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.8.3+incompatible2023-11-09
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to create jobs/stop job tasks and retrieve job task information.
- CVE-2024-22244MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.10.1+incompatible2024-06-10
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
- CVE-2024-22261LOWCVSS 2.7EG 2.7✓ Fixed in 2.10.2+incompatible2024-06-11
SQL-Injection in Harbor allows priviledge users to leak the task IDs
- CVE-2024-22278MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2.10.3+incompatible2024-08-02
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
- CVE-2025-30086MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.13.1+incompatible2025-07-25
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter…
- CVE-2025-32019MEDIUMCVSS 4.1EG 4.1✓ Fixed in 2.13.1-rc1+incompatible2025-07-23
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info ta…
Check whether github.com/goharbor/harbor is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/goharbor/harbor CVEs against the assets you own.
Start Free Scan →