CVE-2025-30086
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
| Software | From | Fixed in |
|---|---|---|
github.com/goharbor/harbor
|
2.13.0 | 2.13.0.x |
|
github.com/goharbor/harbor
|
2.13.0 | 2.13.1 |
|
github.com/goharbor/harbor
|
2.4.0-rc1.1 | 2.12.4 |
|
github.com/goharbor/harbor
|
- | 2.4.0-rc1.0.20250331071157-dce7d9f5cffb |
- https://github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702c
- https://github.com/goharbor/harbor/releases
- https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8
- https://goharbor.io/blog
- https://goharbor.io/blog/
- https://www.elttam.com/blog/plormbing-your-django-orm
- https://www.elttam.com/blog/plormbing-your-django-orm/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime