CVE-2025-23208

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23208
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23208.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-23208
Aliases
Downstream
Related
Published
2025-01-17T22:24:09Z
Modified
2025-10-22T18:45:30.409064Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
IdP group membership revocation ignored in zot
Details

zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific
{
    "cwe_ids": [
        "CWE-269"
    ]
}
References

Affected packages

Git / github.com/project-zot/zot

Affected ranges

Type
GIT
Repo
https://github.com/project-zot/zot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.3.0

v0.*

v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.8-rc2
v1.3.8-rc3
v1.3.9
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.4.0-rc4
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.1-rc3
v1.4.1-rc4
v1.4.1-rc5
v1.4.1-rc6
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.2-rc5
v1.4.2-rc6
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.3-rc4
v1.4.3-rc5
v1.4.3-rc6
v1.4.3-rc7
v1.4.3-rc8
v1.4.3-rc9

v2.*

v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.0-rc6
v2.0.0-rc7
v2.0.0-rc8
v2.0.1
v2.0.1-rc1
v2.0.1-rc2
v2.0.2
v2.0.2-rc1
v2.0.2-rc2
v2.0.2-rc3
v2.0.3
v2.0.4
v2.1.0
v2.1.0-rc1
v2.1.0-rc2
v2.1.1
v2.1.2-rc1
v2.1.2-rc2
v2.1.2-rc3
v2.1.2-rc4
v2.1.2-rc5