Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
Vulnerability Description
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
zot 安全漏洞
Vulnerability Description
zot是The zot Project开源的一个 OCI 图像注册表。 zot 1.3.0版本至2.1.14版本存在安全漏洞,该漏洞源于dist-spec授权中间件对PUT /v2/{name}/manifests/{reference}请求的所需操作推断不当,可能导致授权绕过。
CVSS Information
N/A
Vulnerability Type
N/A