17 matches found
CVE-2026-31801
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
GO-2026-4668 zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) in zotregistry.dev/zot
zot’s create-only policy allows overwrite attempts of existing latest tag update permission not required in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
SUSE CVE-2026-31801
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot's dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DistSpecAuthzHandler process. An attacker can overwrite an existing latest tag without the required update permission by exploiting the authorization logic that incorrectly treats overwrite attempts as...
EUVD-2026-10890
zot’s create-only policy allows overwrite attempts of existing latest tag update permission not required...
CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31801
Summary : CVE-2026-31801 affects zot, an OCI distribution registry, where the dist-spec authorization middleware misclassifies PUT /v2/{name}/manifests/{reference} as create and only switches to update when the tag exists and reference != "latest". As a result, a user allowed to create (but not u...
CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31801 zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
zot-registry-2.1.14-1.1 on GA media (moderate)
zot-registry-2.1.14-1.1 on GA media Announcement ID: openSUSE-SU-2026:10100-1 Rating: moderate Cross-References: CVE-2025-30204 CVSS scores: CVE-2025-30204 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-30204 SUSE : 8.7...
OPENSUSE-SU-2026:10100-1 zot-registry-2.1.14-1.1 on GA media
These are all security issues fixed in the zot-registry-2.1.14-1.1 package on the GA media of openSUSE Tumbleweed...
SUSE CVE-2025-48374
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...
CVE-2025-48374
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...
CVE-2025-48374 zot logs secrets
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f, when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout...
Insertion of Sensitive Information into Log File
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to the logging configuration, an attacker can access sensitive information by exploiting the exposed logs using Keycloak as an OIDC provider clientsecret containing secret credentials...
SUSE CVE-2025-23208
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database meta.db is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended...
CVE-2025-23208
The CVE-2025-23208 issue affects Zot, an OCI image registry. Root cause: SetUserGroups on login appends new groups instead of replacing existing memberships, stored in boltdb (meta.db), so group revocations/removals from IdPs are ignored. Impact: any configuration using group-based authorization ...