x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-h27m-3qw8-3pw8

[GoVulnBot]

Advisory GHSA-h27m-3qw8-3pw8 references a vulnerability in the following Go modules:

Module
github.com/goharbor/harbor

Description:

Impact

Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the /api/v2.0/users endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the q URL parameter allowed the administrator to filter users by any column, and the filter password=~ could be abused to leak out a user's password hash character by character.

An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on ...

References:

• ADVISORY: GHSA-h27m-3qw8-3pw8
• ADVISORY: GHSA-h27m-3qw8-3pw8
• FIX: goharbor/harbor@dce7d9f

Cross references:

• github.com/goharbor/harbor appears in 21 other report(s):
  • data/excluded/GO-2022-1009.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31667, GHSA-xx9w-464f-7h6f #1009) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1010.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31669, GHSA-8c6p-v837-77f6 #1010) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1011.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31666, GHSA-jf8p-3vjh-pq94 #1011) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1012.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31670, GHSA-3637-v6vq-xqqw #1012) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1013.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31671, GHSA-q76q-q8hw-hmpw #1013) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2245.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2019-16919 #2245) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2256.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2019-3990 #2256) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2022-0704.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q9x4-q76f-5h5j #704)
  • data/reports/GO-2022-0781.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-33p6-fx42-7rf5 #781)
  • data/reports/GO-2022-0785.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-38r5-34mr-mvm7 #785)
  • data/reports/GO-2022-0818.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor/src/core/api: GHSA-9wvh-ff5f-xjpj #818)
  • data/reports/GO-2022-0853.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-jr34-mff8-pc6f #853)
  • data/reports/GO-2022-0863.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-q6cj-6jvq-jwmh #863)
  • data/reports/GO-2022-0865.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor/src/core/api: GHSA-q9p8-33wc-h432 #865)
  • data/reports/GO-2022-0876.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-rffr-c932-cpxv #876)
  • data/reports/GO-2022-0883.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-w4x5-jqq4-qc8x #883)
  • data/reports/GO-2023-2109.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-mq6f-5xh5-hgcf #2109)
  • data/reports/GO-2024-2915.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2024-22244 #2915)
  • data/reports/GO-2024-2916.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2024-22261 #2916)
  • data/reports/GO-2024-3013.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: GHSA-hw28-333w-qxp3 #3013)
  • data/reports/GO-2024-3268.yaml (x/vulndb: potential Go vuln in github.com/goharbor/harbor: CVE-2022-31668 #3268)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/goharbor/harbor
      versions:
        - fixed: 2.12.4+incompatible
      non_go_versions:
        - introduced: TODO (earliest fixed "2.13.1", vuln range "= 2.13.0")
        - fixed: 2.4.0-rc1.0.20250331071157-dce7d9f5cffb
        - introduced: 2.4.0-rc1.1
      vulnerable_at: 2.12.4-rc1+incompatible
summary: Possible ORM Leak Vulnerability in the Harbor in github.com/goharbor/harbor
cves:
    - CVE-2025-30086
ghsas:
    - GHSA-h27m-3qw8-3pw8
references:
    - advisory: https://github.com/advisories/GHSA-h27m-3qw8-3pw8
    - advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8
    - fix: https://github.com/goharbor/harbor/commit/dce7d9f5cffbd0d0c5d27e7a2f816f65a930702c
notes:
    - fix: 'module merge error: could not merge versions of module github.com/goharbor/harbor: invalid or non-canonical semver version (found TODO (earliest fixed "2.13.1", vuln range "= 2.13.0"))'
source:
    id: GHSA-h27m-3qw8-3pw8
    created: 2025-07-23T16:01:31.268475697Z
review_status: UNREVIEWED