प्लेटफ़ॉर्म
go
घटक
zotregistry.dev/zot
में ठीक किया गया
2.1.3
2.1.2
CVE-2025-23208 describes a vulnerability in zotregistry.dev/zot where group membership revocation is ignored. This allows an attacker to potentially bypass access controls and gain unauthorized access to resources. The vulnerability impacts versions prior to 2.1.2. A fix is available in version 2.1.2.
This vulnerability allows an attacker to circumvent the intended revocation process for group memberships within the Zot identity provider (IdP). If a user's group membership is revoked, the system should prevent them from accessing resources associated with that group. However, due to this flaw, a revoked user may retain access. The potential impact is unauthorized access to sensitive data or functionality controlled by the group. The blast radius depends on the permissions granted to the affected group; a highly privileged group could lead to significant data breaches or system compromise. This bypass could be exploited in conjunction with other vulnerabilities to escalate privileges or gain broader access.
This CVE was published on 2025-01-28. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not currently available. The vulnerability's impact is contingent on the specific group membership and access controls in place.
Organizations using zotregistry.dev/zot as an identity provider, particularly those relying on group memberships for access control, are at risk. This includes deployments where group revocation is a critical security control. Shared hosting environments utilizing Zot are also potentially vulnerable.
• go / binary: Use go build to compile the Zot source code and then analyze the resulting binary for potential bypass logic related to group membership revocation.
• go / supply-chain: Examine dependencies and submodules used by Zot for potential vulnerabilities that could be exploited in conjunction with this issue.
• generic web: Monitor access logs for unusual activity from users who have recently had their group memberships revoked. Look for requests to resources that should be inaccessible.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.11% (29% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade to version 2.1.2 or later of zotregistry.dev/zot. If upgrading immediately is not possible, consider implementing temporary workarounds. While a direct workaround is not readily available, carefully review and restrict access permissions granted to groups to minimize the potential impact of a successful bypass. Monitor Zot logs for unusual access patterns or attempts to access resources after group revocation. Consider implementing stricter authentication and authorization policies to limit the potential damage from unauthorized access.
Actualice zot a la versión 2.1.2 o superior. Esta versión corrige la vulnerabilidad que ignora la revocación de membresía de grupos IdP. La actualización asegura que los permisos de usuario se gestionen correctamente.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-23208 is a HIGH severity vulnerability affecting Zot versions before 2.1.2, allowing attackers to bypass group membership revocation and potentially gain unauthorized access.
If you are using Zot versions prior to 2.1.2, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade to version 2.1.2 or later of zotregistry.dev/zot to remediate the vulnerability. If immediate upgrade is not possible, implement temporary access control restrictions.
There is currently no public information indicating that CVE-2025-23208 is being actively exploited.
Refer to the Zot project's official advisory channels for the most up-to-date information regarding CVE-2025-23208.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।