Go modules package
zotregistry.dev/zot
pkg:golang/zotregistry.dev/zot
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31801 | — | >= 1.3.0-20210831063041-c8779d9e87d9, <= 1.4.4-20251014054906-73eef25681af | — | Mar 10, 2026 | zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches | ||
| CVE-2025-48374 | Med | — | < 1.4.4-0.20250522160828-8a99a3ed231f | 1.4.4-0.20250522160828-8a99a3ed231f | May 22, 2025 | zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into t | |
| CVE-2025-23208 | — | < 2.1.2 | 2.1.2 | Jan 17, 2025 | zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t | ||
| CVE-2024-39897 | — | < 2.1.0 | 2.1.0 | Jul 9, 2024 | zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is en |
- CVE-2026-31801Mar 10, 2026affected >= 1.3.0-20210831063041-c8779d9e87d9, <= 1.4.4-20251014054906-73eef25681af
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches
- affected < 1.4.4-0.20250522160828-8a99a3ed231ffixed 1.4.4-0.20250522160828-8a99a3ed231f
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into t
- CVE-2025-23208Jan 17, 2025affected < 2.1.2fixed 2.1.2
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, t
- CVE-2024-39897Jul 9, 2024affected < 2.1.0fixed 2.1.0
zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is en