CVE-2024-39897
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-39897
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39897.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-39897
- Aliases
- Related
- Published
- 2024-07-09T19:15:12Z
- Modified
- 2025-04-23T18:49:40.465426Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
zot is an OCI image registry. Prior to 2.1.0, the cache driver
GetBlob()allows read access to any blob without access control check. If a ZotaccessControlpolicy allows users read access to some repositories but restricts read access to other repositories anddedupeis enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible becauseImageStore.CheckBlob()callscheckCacheBlob()to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository withcopyBlob(). The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0. - References
Affected packages
Git / github.com/project-zot/zot
Affected ranges
- Type
- GIT
- Repo
- https://github.com/project-zot/zot
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed