cvelistv5 - cve-2024-39897

CVE-2024-39897 (GCVE-0-2024-39897)

Vulnerability from cvelistv5 – Published: 2024-07-09 18:48 – Updated: 2024-08-02 04:33

Summary

zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/project-zot/zot/security/advis…	x_refsource_CONFIRM
	https://github.com/project-zot/zot/commit/aaee022…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	project-zot	zot	Affected: < 2.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39897",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-10T20:35:45.771671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T20:35:52.715Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:33:11.364Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
          },
          {
            "name": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zot",
          "vendor": "project-zot",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \"dedupe\": false in the \"storage\" settings. The vulnerability is fixed in 2.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-09T18:48:24.335Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
        },
        {
          "name": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
        }
      ],
      "source": {
        "advisory": "GHSA-55r9-5mx9-qq7r",
        "discovery": "UNKNOWN"
      },
      "title": "Cache driver GetBlob() allows read access to any blob without access control check"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-39897",
    "datePublished": "2024-07-09T18:48:24.335Z",
    "dateReserved": "2024-07-02T19:37:18.599Z",
    "dateUpdated": "2024-08-02T04:33:11.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \\n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \\\"dedupe\\\": false in the \\\"storage\\\" settings. The vulnerability is fixed in 2.1.0.\"}, {\"lang\": \"es\", \"value\": \"zot es un registro de im\\u00e1genes OCI. Antes de 2.1.0, el controlador de cach\\u00e9 `GetBlob()` permite acceso de lectura a cualquier blob sin verificaci\\u00f3n de control de acceso. Si una pol\\u00edtica `accessControl` de Zot permite a los usuarios acceso de lectura a algunos repositorios pero restringe el acceso de lectura a otros repositorios y `dedupe` est\\u00e1 habilitado (est\\u00e1 habilitado de forma predeterminada), entonces un atacante que conoce el nombre de una imagen y el resumen de una blob (al que no tienen acceso de lectura), pueden leerlo maliciosamente a trav\\u00e9s de un segundo repositorio al que s\\u00ed tienen acceso de lectura. Este ataque es posible porque [`ImageStore.CheckBlob()` llama a `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore .go#L1158-L1159) para encontrar el blob como cach\\u00e9 global buscando el resumen. Si se encuentra, se copia al repositorio solicitado por el usuario con `copyBlob()`. El ataque se puede mitigar configurando \\\"dedupe\\\": false en la configuraci\\u00f3n de \\\"storage\\\". La vulnerabilidad se solucion\\u00f3 en 2.1.0.\"}]",
      "id": "CVE-2024-39897",
      "lastModified": "2024-11-21T09:28:31.350",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-07-09T19:15:12.953",
      "references": "[{\"url\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39897\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-09T19:15:12.953\",\"lastModified\":\"2025-04-23T17:30:11.787\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \\n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \\\"dedupe\\\": false in the \\\"storage\\\" settings. The vulnerability is fixed in 2.1.0.\"},{\"lang\":\"es\",\"value\":\"zot es un registro de im\u00e1genes OCI. Antes de 2.1.0, el controlador de cach\u00e9 `GetBlob()` permite acceso de lectura a cualquier blob sin verificaci\u00f3n de control de acceso. Si una pol\u00edtica `accessControl` de Zot permite a los usuarios acceso de lectura a algunos repositorios pero restringe el acceso de lectura a otros repositorios y `dedupe` est\u00e1 habilitado (est\u00e1 habilitado de forma predeterminada), entonces un atacante que conoce el nombre de una imagen y el resumen de una blob (al que no tienen acceso de lectura), pueden leerlo maliciosamente a trav\u00e9s de un segundo repositorio al que s\u00ed tienen acceso de lectura. Este ataque es posible porque [`ImageStore.CheckBlob()` llama a `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore .go#L1158-L1159) para encontrar el blob como cach\u00e9 global buscando el resumen. Si se encuentra, se copia al repositorio solicitado por el usuario con `copyBlob()`. El ataque se puede mitigar configurando \\\"dedupe\\\": false en la configuraci\u00f3n de \\\"storage\\\". La vulnerabilidad se solucion\u00f3 en 2.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.0\",\"matchCriteriaId\":\"474C11AA-39EF-4745-8980-60B31E5DE18C\"}]}]}],\"references\":[{\"url\":\"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"name\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"name\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:33:11.364Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39897\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-10T20:35:45.771671Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-10T20:35:50.259Z\"}}], \"cna\": {\"title\": \"Cache driver GetBlob() allows read access to any blob without access control check\", \"source\": {\"advisory\": \"GHSA-55r9-5mx9-qq7r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"project-zot\", \"product\": \"zot\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"name\": \"https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"name\": \"https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \\n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \\\"dedupe\\\": false in the \\\"storage\\\" settings. The vulnerability is fixed in 2.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-09T18:48:24.335Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39897\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:33:11.364Z\", \"dateReserved\": \"2024-07-02T19:37:18.599Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-09T18:48:24.335Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-39897

Vulnerability from fkie_nvd - Published: 2024-07-09 19:15 - Updated: 2025-04-23 17:30

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df	Patch
security-advisories@github.com	https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	zotregistry	zot	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "474C11AA-39EF-4745-8980-60B31E5DE18C",
              "versionEndExcluding": "2.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. \n This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring \"dedupe\": false in the \"storage\" settings. The vulnerability is fixed in 2.1.0."
    },
    {
      "lang": "es",
      "value": "zot es un registro de im\u00e1genes OCI. Antes de 2.1.0, el controlador de cach\u00e9 `GetBlob()` permite acceso de lectura a cualquier blob sin verificaci\u00f3n de control de acceso. Si una pol\u00edtica `accessControl` de Zot permite a los usuarios acceso de lectura a algunos repositorios pero restringe el acceso de lectura a otros repositorios y `dedupe` est\u00e1 habilitado (est\u00e1 habilitado de forma predeterminada), entonces un atacante que conoce el nombre de una imagen y el resumen de una blob (al que no tienen acceso de lectura), pueden leerlo maliciosamente a trav\u00e9s de un segundo repositorio al que s\u00ed tienen acceso de lectura. Este ataque es posible porque [`ImageStore.CheckBlob()` llama a `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore .go#L1158-L1159) para encontrar el blob como cach\u00e9 global buscando el resumen. Si se encuentra, se copia al repositorio solicitado por el usuario con `copyBlob()`. El ataque se puede mitigar configurando \"dedupe\": false en la configuraci\u00f3n de \"storage\". La vulnerabilidad se solucion\u00f3 en 2.1.0."
    }
  ],
  "id": "CVE-2024-39897",
  "lastModified": "2025-04-23T17:30:11.787",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-09T19:15:12.953",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-55R9-5MX9-QQ7R

Vulnerability from github – Published: 2024-07-09 21:04 – Updated: 2024-07-10 18:34

Summary

Cache driver GetBlob() allows read access to any blob without access control check

Details

Summary

Cache driver GetBlob() allows read access to any blob without access control check

Details

If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the accessControl policy denies.

This attack is possible because ImageStore.CheckBlob() calls checkCacheBlob() to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with copyBlob().

This cache behavior is intentionally used in RouteHandler.CreateBlobUpload() to implement cross repository blob mount (POST /v2/<name>/blobs/uploads/?mount=<digest>&from=<repository name>) in Zot. This is still missing an access control to check read access on the source repository.

This cache behavior is unexpectedly also used in RouteHandler.CheckBlob() too for HEAD /v2/<name>/blobs/<digest>. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the ImageStore for the requested repository.

RouteHandler.GetBlob() does not call ImageStore.CheckBlob() so it is not directly vulnerable. However an attacker with only limited read access may first call CheckBlob() to fetch the blob from the cache, then call GetBlob() to read the blob.

Mitigation

The attack may be mitigated by configuring "dedupe": false in the "storage" settings. This disables Zot's cache drivers. dedupe is enabled by default using the BoltDB cache driver.

Impact

An attacker can read images that the accessControl policy denies if they have read access to any other second repository.

This attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed.

This attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "zotregistry.io/zot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "zotregistry.dev/zot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-09T21:04:00Z",
    "nvd_published_at": "2024-07-09T19:15:12Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nCache driver `GetBlob()` allows read access to any blob without access control check\n\n### Details\n\nIf a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the `accessControl` policy denies.\n\nThis attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`.\n\nThis cache behavior is intentionally used in [`RouteHandler.CreateBlobUpload()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1194-L1197) to implement cross repository blob mount (`POST /v2/\u003cname\u003e/blobs/uploads/?mount=\u003cdigest\u003e\u0026from=\u003crepository name\u003e`) in Zot. This is still missing an access control to check read access on the source repository.\n\nThis cache behavior is unexpectedly also used in [`RouteHandler.CheckBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L886) too for `HEAD /v2/\u003cname\u003e/blobs/\u003cdigest\u003e`. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the `ImageStore` for the requested repository.\n\n[`RouteHandler.GetBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1000) does _not_ call `ImageStore.CheckBlob()` so it is not directly vulnerable. However an attacker with only limited read access may first call `CheckBlob()` to fetch the blob from the cache, then call `GetBlob()` to read the blob.\n\n### Mitigation\n\nThe attack may be mitigated by configuring `\"dedupe\": false` in the `\"storage\"` settings. This disables Zot\u0027s cache drivers. `dedupe` is enabled by default using the BoltDB cache driver.\n\n### Impact\n\nAn attacker can read images that the `accessControl` policy denies if they have read access to any other second repository.\n\nThis attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed.\n\nThis attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.\n",
  "id": "GHSA-55r9-5mx9-qq7r",
  "modified": "2024-07-10T18:34:34Z",
  "published": "2024-07-09T21:04:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/project-zot/zot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cache driver GetBlob() allows read access to any blob without access control check"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-39897 (GCVE-0-2024-39897)

FKIE_CVE-2024-39897

GHSA-55R9-5MX9-QQ7R

Summary

Details

Mitigation

Impact

Tags

Sightings

Nomenclature