Vulnerabilites related to project-zot - zot
CVE-2025-23208 (GCVE-0-2025-23208)
Vulnerability from cvelistv5
Published
2025-01-17 22:24
Modified
2025-01-22 14:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| project-zot | zot |
Version: < 2.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23208",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T14:26:14.576260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T14:27:12.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zot",
"vendor": "project-zot",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn\u0027t obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-17T22:24:09.406Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx"
},
{
"name": "https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613"
},
{
"name": "https://github.com/project-zot/zot/blob/5e30fec65c49e3139907e2819ccb39b2e3bd784e/pkg/meta/boltdb/boltdb.go#L1665",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/project-zot/zot/blob/5e30fec65c49e3139907e2819ccb39b2e3bd784e/pkg/meta/boltdb/boltdb.go#L1665"
}
],
"source": {
"advisory": "GHSA-c9p4-xwr9-rfhx",
"discovery": "UNKNOWN"
},
"title": "IdP group membership revocation ignored in zot"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23208",
"datePublished": "2025-01-17T22:24:09.406Z",
"dateReserved": "2025-01-13T17:15:41.050Z",
"dateUpdated": "2025-01-22T14:27:12.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39897 (GCVE-0-2024-39897)
Vulnerability from cvelistv5
Published
2024-07-09 18:48
Modified
2024-08-02 04:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to.
This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| project-zot | zot |
Version: < 2.1.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T20:35:45.771671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T20:35:52.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
},
{
"name": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "zot",
"vendor": "project-zot",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \"dedupe\": false in the \"storage\" settings. The vulnerability is fixed in 2.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T18:48:24.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
},
{
"name": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
}
],
"source": {
"advisory": "GHSA-55r9-5mx9-qq7r",
"discovery": "UNKNOWN"
},
"title": "Cache driver GetBlob() allows read access to any blob without access control check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39897",
"datePublished": "2024-07-09T18:48:24.335Z",
"dateReserved": "2024-07-02T19:37:18.599Z",
"dateUpdated": "2024-08-02T04:33:11.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48374 (GCVE-0-2025-48374)
Vulnerability from cvelistv5
Published
2025-05-22 20:43
Modified
2025-05-23 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| project-zot | zot |
Version: < 1.4.4-0.20250522160828-8a99a3ed231f |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:29:24.291687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T14:33:24.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zot",
"vendor": "project-zot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.4-0.20250522160828-8a99a3ed231f"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T20:43:13.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8"
},
{
"name": "https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e"
}
],
"source": {
"advisory": "GHSA-c37v-3c8w-crq8",
"discovery": "UNKNOWN"
},
"title": "zot logs secrets"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48374",
"datePublished": "2025-05-22T20:43:13.708Z",
"dateReserved": "2025-05-19T15:46:00.395Z",
"dateUpdated": "2025-05-23T14:33:24.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}