CVE-2024-39897

Name of the Vulnerable Software and Affected Versions zot versions prior to 2.1.0

Description The cache driver GetBlob() in zot, an OCI image registry, allows read access to any blob without an access control check. If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled, an attacker who knows the name of an image and the digest of a blob may maliciously read it via a second repository they have read access to. This attack is possible because ImageStore.CheckBlob() calls checkCacheBlob() to find the blob in a global cache by searching for the digest. If found, it is copied to the user-requested repository with copyBlob(). The attack requires the attacker to know the name of a private image and its layer digests.

Recommendations To resolve the issue, update to version 2.1.0 or later. As a temporary workaround, consider configuring "dedupe": false in the "storage" settings to disable Zot's cache drivers.