CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
github.com/project-zot/zot is vulnerable to Improper Access Control. The vulnerability is due to improper access control enforcement when deduplication is enabled. An attacker can read blobs (both config and layers) by digest from repositories they do not have access to by exploiting the global cache mechanism.