CVE-2024-39897

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39897
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39897.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-39897
Aliases
Related
Published
2024-07-09T19:15:12Z
Modified
2024-07-11T16:03:03.952704Z
Summary
[none]
Details

zot is an OCI image registry. Prior to 2.1.0, the cache driver GetBlob() allows read access to any blob without access control check. If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible because ImageStore.CheckBlob() calls checkCacheBlob() to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with copyBlob(). The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.

References

Affected packages

Git / github.com/project-zot/zot

Affected ranges

Type
GIT
Repo
https://github.com/project-zot/zot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.3.0

v0.*

v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.8-rc2
v1.3.8-rc3
v1.3.9
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.4.0-rc4
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.1-rc3
v1.4.1-rc4
v1.4.1-rc5
v1.4.1-rc6
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.2-rc5
v1.4.2-rc6
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.3-rc4
v1.4.3-rc5
v1.4.3-rc6
v1.4.3-rc7
v1.4.3-rc8
v1.4.3-rc9

v2.*

v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.0-rc6
v2.0.0-rc7
v2.0.0-rc8
v2.0.1
v2.0.1-rc1
v2.0.1-rc2
v2.0.2
v2.0.2-rc1
v2.0.2-rc2
v2.0.2-rc3
v2.0.3
v2.0.4
v2.1.0-rc1
v2.1.0-rc2