logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-39897 zotregistry.dev/zot

Package

Manager: go
Name: zotregistry.dev/zot
Vulnerable Version: >=0 <2.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00266 pctl0.49825

Details

Cache driver GetBlob() allows read access to any blob without access control check ### Summary Cache driver `GetBlob()` allows read access to any blob without access control check ### Details If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the `accessControl` policy denies. This attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. This cache behavior is intentionally used in [`RouteHandler.CreateBlobUpload()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1194-L1197) to implement cross repository blob mount (`POST /v2/<name>/blobs/uploads/?mount=<digest>&from=<repository name>`) in Zot. This is still missing an access control to check read access on the source repository. This cache behavior is unexpectedly also used in [`RouteHandler.CheckBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L886) too for `HEAD /v2/<name>/blobs/<digest>`. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the `ImageStore` for the requested repository. [`RouteHandler.GetBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1000) does _not_ call `ImageStore.CheckBlob()` so it is not directly vulnerable. However an attacker with only limited read access may first call `CheckBlob()` to fetch the blob from the cache, then call `GetBlob()` to read the blob. ### Mitigation The attack may be mitigated by configuring `"dedupe": false` in the `"storage"` settings. This disables Zot's cache drivers. `dedupe` is enabled by default using the BoltDB cache driver. ### Impact An attacker can read images that the `accessControl` policy denies if they have read access to any other second repository. This attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed. This attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.

Metadata

Created: 2024-07-09T21:04:00Z
Modified: 2024-07-10T18:34:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55r9-5mx9-qq7r/GHSA-55r9-5mx9-qq7r.json
CWE IDs: ["CWE-639"]
Alternative ID: GHSA-55r9-5mx9-qq7r
Finding: F039
Auto approve: 1