x/vulndb: potential Go vuln in zotregistry.dev/zot: GHSA-55r9-5mx9-qq7r

[GoVulnBot]

Advisory GHSA-55r9-5mx9-qq7r references a vulnerability in the following Go modules:

Module
zotregistry.dev/zot

Description:

Summary

Cache driver GetBlob() allows read access to any blob without access control check

Details

If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the accessControl policy denies.

This attack is possible because [...

References:

• ADVISORY: GHSA-55r9-5mx9-qq7r
• ADVISORY: GHSA-55r9-5mx9-qq7r
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-39897
• FIX: project-zot/zot@aaee022

Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: zotregistry.dev/zot
      non_go_versions:
        - fixed: 2.1.0
      vulnerable_at: 1.4.3
summary: |-
    Cache driver GetBlob() allows read access to any blob without access control
    check in zotregistry.dev/zot
cves:
    - CVE-2024-39897
ghsas:
    - GHSA-55r9-5mx9-qq7r
references:
    - advisory: https://github.com/advisories/GHSA-55r9-5mx9-qq7r
    - advisory: https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39897
    - fix: https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df
source:
    id: GHSA-55r9-5mx9-qq7r
    created: 2024-07-09T22:01:25.334790516Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/597495 mentions this issue: data/reports: add GO-2024-2979