You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cache driver GetBlob() allows read access to any blob without access control check
Details
If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the accessControl policy denies.
Advisory GHSA-55r9-5mx9-qq7r references a vulnerability in the following Go modules:
Description:
Summary
Cache driver
GetBlob()
allows read access to any blob without access control checkDetails
If a Zot
accessControl
policy allows users read access to some repositories but restricts read access to other repositories anddedupe
is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that theaccessControl
policy denies.This attack is possible because [...
References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: