Lucene search
K

17 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.4 views

CVE-2026-31801

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References1
OSV
OSV
added 2026/03/12 8:57 p.m.4 views

GO-2026-4668 zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) in zotregistry.dev/zot

zot’s create-only policy allows overwrite attempts of existing latest tag update permission not required in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/03/11 4:15 p.m.4 views

SUSE CVE-2026-31801

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot's dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/10 11:44 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DistSpecAuthzHandler process. An attacker can overwrite an existing latest tag without the required update permission by exploiting the authorization logic that incorrectly treats overwrite attempts as...

8.3CVSS5.8AI score0.00212EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/10 11:44 p.m.4 views

EUVD-2026-10890

zot’s create-only policy allows overwrite attempts of existing latest tag update permission not required...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/10 8:54 p.m.27 views

CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

7.7CVSS0.00212EPSS
Exploits1References1
CVE
CVE
added 2026/03/10 8:54 p.m.12 views

CVE-2026-31801

Summary : CVE-2026-31801 affects zot, an OCI distribution registry, where the dist-spec authorization middleware misclassifies PUT /v2/{name}/manifests/{reference} as create and only switches to update when the tag exists and reference != "latest". As a result, a user allowed to create (but not u...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/10 8:54 p.m.2 views

CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References1
OSV
OSV
added 2026/03/10 8:54 p.m.7 views

CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References3
OPENSUSE Linux
OPENSUSE Linux
added 2026/01/28 12:0 a.m.3 views

zot-registry-2.1.14-1.1 on GA media (moderate)

zot-registry-2.1.14-1.1 on GA media Announcement ID: openSUSE-SU-2026:10100-1 Rating: moderate Cross-References: CVE-2025-30204 CVSS scores: CVE-2025-30204 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-30204 SUSE : 8.7...

8.7CVSS5.9AI score0.00693EPSS
Exploits0
OSV
OSV
added 2026/01/26 12:0 a.m.2 views

OPENSUSE-SU-2026:10100-1 zot-registry-2.1.14-1.1 on GA media

These are all security issues fixed in the zot-registry-2.1.14-1.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS6.8AI score0.00693EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2025/05/31 1:26 a.m.2 views

SUSE CVE-2025-48374

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...

6.9CVSS6.9AI score0.00152EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/05/24 9:17 p.m.14 views

CVE-2025-48374

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...

6.9CVSS6.9AI score0.00152EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/05/22 8:43 p.m.6 views

CVE-2025-48374 zot logs secrets

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...

6.9CVSS6.5AI score0.00152EPSS
Exploits0References2
Snyk
Snyk
added 2025/05/22 8:33 p.m.2 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to the logging configuration, an attacker can access sensitive information by exploiting the exposed logs using Keycloak as an OIDC provider clientsecret containing secret credentials...

6.9CVSS6.7AI score0.00152EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2025/01/30 3:47 a.m.3 views

SUSE CVE-2025-23208

zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database meta.db is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended...

7.3CVSS6.7AI score0.00394EPSS
Exploits1References3
CVE
CVE
added 2025/01/17 10:24 p.m.337 views

CVE-2025-23208

The CVE-2025-23208 issue affects Zot, an OCI image registry. Root cause: SetUserGroups on login appends new groups instead of replacing existing memberships, stored in boltdb (meta.db), so group revocations/removals from IdPs are ignored. Impact: any configuration using group-based authorization ...

7.3CVSS7.1AI score0.00394EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder