CVE-2025-23208
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-23208
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23208.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-23208
- Aliases
- Related
- Published
- 2025-01-17T23:15:13Z
- Modified
- 2025-01-28T15:26:48.460488Z
- Summary
- [none]
- Details
-
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- References
Affected packages
Git / github.com/project-zot/zot
Affected ranges
- Type
- GIT
- Repo
- https://github.com/project-zot/zot
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.3.0
v0.*
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.8-rc2
v1.3.8-rc3
v1.3.9
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.4.0-rc4
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.1-rc3
v1.4.1-rc4
v1.4.1-rc5
v1.4.1-rc6
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.2-rc5
v1.4.2-rc6
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.3-rc4
v1.4.3-rc5
v1.4.3-rc6
v1.4.3-rc7
v1.4.3-rc8
v1.4.3-rc9
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.0-rc6
v2.0.0-rc7
v2.0.0-rc8
v2.0.1
v2.0.1-rc1
v2.0.1-rc2
v2.0.2
v2.0.2-rc1
v2.0.2-rc2
v2.0.2-rc3
v2.0.3
v2.0.4
v2.1.0
v2.1.0-rc1
v2.1.0-rc2
v2.1.1
v2.1.2-rc1
v2.1.2-rc2
v2.1.2-rc3
v2.1.2-rc4