CVE-2024-39897

CVE-2024-39897 is a medium-severity security vulnerability in zotregistry.io/zot (go), affecting versions < 2.1.0. It is fixed in 2.1.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Cache driver GetBlob() allows read access to any blob without access control check

Cache driver GetBlob() allows read access to any blob without access control check

Details

If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the accessControl policy denies.

This attack is possible because ImageStore.CheckBlob() calls checkCacheBlob() to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with copyBlob().

This cache behavior is intentionally used in RouteHandler.CreateBlobUpload() to implement cross repository blob mount (POST /v2/<name>/blobs/uploads/?mount=<digest>&from=<repository name>) in Zot. This is still missing an access control to check read access on the source repository.

This cache behavior is unexpectedly also used in RouteHandler.CheckBlob() too for HEAD /v2/<name>/blobs/<digest>. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the ImageStore for the requested repository.

RouteHandler.GetBlob() does not call ImageStore.CheckBlob() so it is not directly vulnerable. However an attacker with only limited read access may first call CheckBlob() to fetch the blob from the cache, then call GetBlob() to read the blob.

Mitigation

The attack may be mitigated by configuring "dedupe": false in the "storage" settings. This disables Zot's cache drivers. dedupe is enabled by default using the BoltDB cache driver.

Impact

An attacker can read images that the accessControl policy denies if they have read access to any other second repository.

This attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed.

This attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.

CVE-2024-39897 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.1.0); upgrading removes the vulnerable code path.

Affected versions

zotregistry.io/zot (< 2.1.0) zotregistry.dev/zot (< 2.1.0)

Security releases

zotregistry.io/zot → 2.1.0 (go) zotregistry.dev/zot → 2.1.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

zotregistry.io/zot to 2.1.0 or later; zotregistry.dev/zot to 2.1.0 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2024-39897? CVE-2024-39897 is a medium-severity security vulnerability in zotregistry.io/zot (go), affecting versions < 2.1.0. It is fixed in 2.1.0.
  2. How severe is CVE-2024-39897? CVE-2024-39897 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2024-39897?
    • zotregistry.io/zot (go) (versions < 2.1.0)
    • zotregistry.dev/zot (go) (versions < 2.1.0)
  4. Is there a fix for CVE-2024-39897? Yes. CVE-2024-39897 is fixed in 2.1.0. Upgrade to this version or later.
  5. Is CVE-2024-39897 exploitable, and should I be worried? Whether CVE-2024-39897 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-39897 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-39897?
    • Upgrade zotregistry.io/zot to 2.1.0 or later
    • Upgrade zotregistry.dev/zot to 2.1.0 or later

Stop the waste.
Protect your environment with Kodem.