CVE-2025-30086

Severity CVSS v4.0:

Pending analysis

Type:

CWE-200 Information Leak / Disclosure

Publication date:

25/07/2025

Last modified:

25/07/2025

Description

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users&#39; password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user&#39;s password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

4.90

Severity 3.x

MEDIUM

CVE-2025-30086

Description

Impact

References to Advisories, Solutions, and Tools