CVE-2025-30086
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-07-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cncf | harbor | 2.12.3 |
| cncf | harbor | 2.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-30086 is an ORM (Object-Relational Mapping) leak vulnerability in CNCF Harbor versions before 2.13.1 and 2.12.4. It occurs because the /api/v2.0/users endpoint allows administrator users to filter users by any database column using the "q" URL parameter without proper restrictions. Attackers with administrator access can exploit this by using filters like "password=~" to leak users' password hash and salt values character by character from the database. This happens due to unsafe dynamic filtering of user inputs in the ORM query-building process, enabling a filter oracle attack that reveals sensitive data through response differences. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of highly sensitive information, specifically users' password hashes and salts stored in the Harbor database. An attacker with administrator privileges can exploit the flaw to extract this data character by character, compromising the confidentiality of user credentials. Although it does not affect data integrity or availability, the exposure of password hashes and salts can facilitate further attacks such as password cracking and unauthorized access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /api/v2.0/users endpoint (and other endpoints supporting the 'q' URL parameter) for the ability to filter users by arbitrary columns, especially using filters like 'password=~' or 'password__startswith'. An administrator can attempt to send requests with filters that guess password hash characters to see if the response indicates a match, revealing sensitive data character-by-character. A practical approach is to use scripts or commands that send HTTP requests with crafted 'q' parameters to check if password hashes or salts can be inferred from the responses. For example, using curl or a similar HTTP client to send requests like: curl -X GET 'https://your-harbor-instance/api/v2.0/users?q=password__startswith=p' -H 'Authorization: Bearer <admin-token>' and observing if the response returns user data, indicating a leak. Automating this with scripts that iterate over possible characters can confirm the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Harbor to versions 2.13.1 or later, or 2.12.4 or later, where this vulnerability is patched. Additionally, restrict administrator access to trusted users only, as exploitation requires administrator privileges. If upgrading immediately is not possible, consider disabling or restricting access to the vulnerable API endpoints that support the 'q' parameter filtering, or implement strict input validation and allowlisting on the filter parameters to prevent arbitrary column filtering. Monitoring and logging administrator API usage for suspicious filtering patterns can also help detect exploitation attempts. [1]