Zot Dist-Spec Authorization Middleware Vulnerability Allows Unauthorized Overwrite of 'Latest' Tag

A vulnerability in Zot, an OCI-compliant container image registry, allows users with 'create' permissions (but not 'update') to overwrite existing 'latest' tags. This issue arises because the authorization middleware defaults to 'create' for new manifests, only switching to 'update' when a tag already exists and is not 'latest'. As a result, a user can bypass authorization restrictions and modify the 'latest' tag, potentially disrupting deployment policies that rely on tag immutability.

Impact

Exploitation of this vulnerability can lead to unauthorized modifications of the 'latest' tag, breaking trust in CI/CD processes that depend on tag integrity. This creates a supply chain risk, as critical tags can be altered by users with limited permissions.

Reproduction

To reproduce this vulnerability, configure a repository to grant a user 'create' permissions without 'update' rights. Ensure there is a tag named 'latest' in the repository. When the user attempts to push a new manifest to the 'latest' tag, the authorization check will incorrectly allow the overwrite, despite the existing tag.

Remediation

Users are advised to update to Zot version 2.1.15, where this vulnerability has been fixed.