6 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DistSpecAuthzHandler process. An attacker can overwrite an existing latest tag without the required update permission by exploiting the authorization logic that incorrectly treats overwrite attempts as...
zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the tag already exists and reference != "latest". as a result, when latest already exists, a user who is allowed to create but not allowe...
CVE-2026-31801
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31801
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31801
Summary : CVE-2026-31801 affects zot, an OCI distribution registry, where the dist-spec authorization middleware misclassifies PUT /v2/{name}/manifests/{reference} as create and only switches to update when the tag exists and reference != "latest". As a result, a user allowed to create (but not u...