Detections
Analytics

CVE-2025-30086

medium

Description

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

References

https://www.elttam.com/blog/plormbing-your-django-orm/

https://goharbor.io/blog/

https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8

https://github.com/goharbor/harbor/releases

Details

Source: Mitre, NVD

Published: 2025-07-25

Updated: 2025-07-25

Risk Information

CVSS v2

Base Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.9

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00028