CVE-2024-39897: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2024-39897) affects zot, an OCI image registry, in versions prior to 2.1.0. The issue involves the cache driver GetBlob() function allowing unauthorized read access to any blob when certain conditions are met. The vulnerability was discovered and disclosed on July 9, 2024, affecting the zot registry software when the dedupe feature is enabled (which is the default configuration) (GitHub Advisory).

The vulnerability stems from the cache driver's GetBlob() implementation where ImageStore.CheckBlob() calls checkCacheBlob() to search for blobs in a global cache using their digest. When a blob is found, it is copied to the user-requested repository using copyBlob() without proper access control verification. The issue has a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity (NVD).

An attacker with read access to any repository can potentially access blobs (both config and layers) from repositories they don't have permission to access, provided they know the image name and blob digest. This bypass only works for accessing blobs by digest, and manifests remain protected. The attack scenario is particularly relevant in environments where projects have public CI build logs but private image repositories, as many image build tools log layer digests (GitHub Advisory).

The vulnerability has been fixed in version 2.1.0 of zot. For users unable to upgrade immediately, the attack can be mitigated by configuring "dedupe": false in the "storage" settings, which disables Zot's cache drivers. This is a temporary workaround until the system can be updated to the patched version (GitHub Advisory).