We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-30086



Description

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

Reserved 2025-03-16 | Published 2025-07-25 | Updated 2025-07-25 | Assigner mitre

References

github.com/goharbor/harbor/releases

www.elttam.com/blog/plormbing-your-django-orm/

goharbor.io/blog/

github.com/...harbor/security/advisories/GHSA-h27m-3qw8-3pw8

cve.org (CVE-2025-30086)

nvd.nist.gov (CVE-2025-30086)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-30086

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.