7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): NONE
by @mweinelt Activity log
- Created automatic suggestion
-
@mweinelt
removed
6 packages
- zotero
- zotify
- zotero_7
- zotero-beta
- haskellPackages.zot
- zotero-translation-server
- @mweinelt dismissed
zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.
References
- https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6 x_refsource_CONFIRM
Affected products
- ==>= 1.3.0, < v2.1.15
Ignored packages (6)
pkgs.zotero
Collect, organize, cite, and share your research sources
pkgs.zotify
Fast and customizable music and podcast downloader
pkgs.zotero_7
Collect, organize, cite, and share your research sources
pkgs.zotero-beta
Collect, organize, cite, and share your research sources
-
nixos-25.11 7.0.0-beta.111+b4f6c050e
- nixos-25.11-small 7.0.0-beta.111+b4f6c050e
- nixpkgs-25.11-darwin 7.0.0-beta.111+b4f6c050e
pkgs.haskellPackages.zot
Zot language
pkgs.zotero-translation-server
Node.js-based server to run Zotero translators
-
nixos-unstable 2023-07-13
- nixpkgs-unstable 2023-07-13
- nixos-unstable-small 2023-07-13
-
nixos-25.11 2023-07-13
- nixos-25.11-small 2023-07-13
- nixpkgs-25.11-darwin 2023-07-13