Zot Open Container Registry Client Secret Exposure Vulnerability

A vulnerability exists in Zot, an Open Container Initiative distribution specification-based image registry, prior to version 2.1.3, when Keycloak is used as an OpenID Connect (OIDC) provider. In these versions, the client secret is inadvertently logged to the container's standard output, such as during container startup. This issue has been addressed in version 2.1.3.

Impact

This vulnerability leads to the unintentional exposure of sensitive information, specifically client secrets, in the container logs.

Reproduction

To reproduce this vulnerability, deploy a Zot instance on Kubernetes using the latest container image. Configure the deployment to use Keycloak as the OIDC provider, including the client secret in the configuration. Once the deployment is running, the client secret will be visible in the container's stdout logs.

Remediation

Users can upgrade to Zot version 2.1.3 or later to address this vulnerability.