Zot
Monthly
Zot registry versions 1.3.0 through 2.1.14 have an authorization bypass in the manifest upload endpoint that allows authenticated users with only create permissions to overwrite the latest tag when it already exists. An attacker with limited write privileges can leverage this flaw to replace the latest image version, potentially distributing malicious container images to downstream consumers. The vulnerability is fixed in version 2.1.15.
zot is a production-ready vendor-neutral OCI image registry. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Zot registry versions 1.3.0 through 2.1.14 have an authorization bypass in the manifest upload endpoint that allows authenticated users with only create permissions to overwrite the latest tag when it already exists. An attacker with limited write privileges can leverage this flaw to replace the latest image version, potentially distributing malicious container images to downstream consumers. The vulnerability is fixed in version 2.1.15.
zot is a production-ready vendor-neutral OCI image registry. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.