CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
zot is an OCI image registry. Prior to 2.1.0, the cache driver GetBlob()
allows read access to any blob without access control check. If a Zot accessControl
policy allows users read access to some repositories but restricts read access to other repositories and dedupe
is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to.
This attack is possible because ImageStore.CheckBlob()
calls checkCacheBlob()
to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with copyBlob()
. The attack may be mitigated by configuring “dedupe”: false in the “storage” settings. The vulnerability is fixed in 2.1.0.