Description

zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.

INFO

Published Date :

2024-07-09T18:48:24.335Z

Last Modified :

2024-08-02T04:33:11.364Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-39897 vulnerability.

Vendors Products
Zotregistry
  • Zot
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-39897.

URL Resource
https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df cve-icon cve-icon cve-icon
https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact