zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe": false in the "storage" settings. The vulnerability is fixed in 2.1.0.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
| Link | Tags |
|---|---|
| https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r | mitigation vendor advisory |
| https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df | patch |