Lucene search

GoogleOSV:GO-2024-2979

HistoryJul 10, 2024 - 5:05 p.m.

Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot

2024-07-1017:05:50

Google

osv.dev

cache driver

getblob

read access

access control check

zotregistry.dev

vulnerability

software

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

JSON

Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: zotregistry.dev/zot before v2.1.0; zotregistry.io/zot before v2.1.0.

References

github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df

github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r

nvd.nist.gov/vuln/detail/CVE-2024-39897

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

JSON

Related for OSV:GO-2024-2979