References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df

https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r

zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read ac

GitHub, Inc. AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

GitHub, Inc. CWE-639

GitHub, Inc. https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df [No types assigned]

GitHub, Inc. https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r [No types assigned]