VYPR

Go modules package

zotregistry.dev/zot

pkg:golang/zotregistry.dev/zot

Vulnerabilities (4)

  • CVE-2026-31801Mar 10, 2026
    affected >= 1.3.0-20210831063041-c8779d9e87d9, <= 1.4.4-20251014054906-73eef25681af

    zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches

  • CVE-2025-48374MedMay 22, 2025
    affected < 1.4.4-0.20250522160828-8a99a3ed231ffixed 1.4.4-0.20250522160828-8a99a3ed231f

    zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into t

  • CVE-2025-23208Jan 17, 2025
    affected < 2.1.2fixed 2.1.2

    zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t

  • CVE-2024-39897Jul 9, 2024
    affected < 2.1.0fixed 2.1.0

    zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is en