Project-zot is a container image and artifact registry implementing the Open Container Initiative Distribution Specification. Between versions 1.3.0 and 2.1.14, the authorization middleware responsible for controlling access to PUT requests on manifests incorrectly infers the required action. Specifically, when a client issues a PUT request to /v2/{name}/manifests/{reference}, the middleware defaults to treating the action as a 'create' operation. It only switches to 'update' if the tag already exists and the reference is not 'latest'. Consequently, if the 'latest' tag exists, a user with permission to create manifests but without permission to update them can overwrite the 'latest' tag, bypassing authorization checks. This is a classic case of incorrect authorization (CWE-863), where the system fails to properly distinguish between create and update operations based on the tag reference. The vulnerability affects the integrity of container images by allowing unauthorized overwrites, potentially leading to supply chain risks or deployment of malicious images. The CVSS 3.1 score is 7.7 (high), reflecting network exploitability, low attack complexity, and the requirement of privileges but no user interaction. The scope is changed because the vulnerability allows unauthorized modification of resources. The issue is resolved in zot version 2.1.15 by correcting the authorization logic to properly handle the 'latest' tag update scenario.

This vulnerability primarily impacts the integrity of container images stored in affected zot registries. Unauthorized users with create permissions can overwrite the 'latest' tag, potentially replacing trusted images with malicious or altered versions. This can lead to supply chain compromises, deployment of backdoored containers, and disruption of development and production workflows relying on the 'latest' tag. Since container images are widely used in cloud-native environments, CI/CD pipelines, and production deployments, the impact can be significant for organizations relying on zot as their artifact registry. The vulnerability does not affect confidentiality or availability directly but undermines trust in the image provenance and can facilitate further attacks. Attackers with network access and limited privileges can exploit this flaw without user interaction, increasing the risk of automated or stealthy attacks. Organizations using affected versions face risks of unauthorized code execution, data breaches, or service disruption if compromised images are deployed.

The primary mitigation is to upgrade all instances of project-zot to version 2.1.15 or later, where the authorization logic is corrected. Until upgrades can be performed, organizations should implement strict network access controls to limit who can perform PUT operations on manifests, especially on the 'latest' tag. Review and tighten permissions to ensure that users with create rights do not have unnecessary access to sensitive repositories or tags. Implement monitoring and alerting on manifest overwrite events, particularly targeting the 'latest' tag, to detect suspicious activity. Consider using image signing and verification mechanisms to detect unauthorized image modifications. In environments where upgrading is delayed, temporarily disable or restrict use of the 'latest' tag to reduce risk. Conduct thorough audits of container registries to identify any unauthorized changes. Finally, integrate vulnerability scanning and supply chain security tools to detect compromised images before deployment.