x/vulndb: potential Go vuln in zotregistry.dev/zot: GHSA-c9p4-xwr9-rfhx

[GoVulnBot]

Advisory GHSA-c9p4-xwr9-rfhx references a vulnerability in the following Go modules:

Module
zotregistry.dev/zot

Description:

Summary

The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API.

Details

SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case.

PoC

Login with group claims, logout, remove the user from a group from at IdP and log ...

References:

• ADVISORY: GHSA-c9p4-xwr9-rfhx
• ADVISORY: GHSA-c9p4-xwr9-rfhx
• FIX: project-zot/zot@002ac62

Cross references:

• zotregistry.dev/zot appears in 1 other report(s):
  • data/reports/GO-2024-2979.yaml (x/vulndb: potential Go vuln in zotregistry.dev/zot: GHSA-55r9-5mx9-qq7r #2979)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: zotregistry.dev/zot
      non_go_versions:
        - introduced: TODO (earliest fixed "2.1.2", vuln range "<= 2.1.1")
      vulnerable_at: 1.4.3
summary: Zot IdP group membership revocation ignored in zotregistry.dev/zot
cves:
    - CVE-2025-23208
ghsas:
    - GHSA-c9p4-xwr9-rfhx
references:
    - advisory: https://github.com/advisories/GHSA-c9p4-xwr9-rfhx
    - advisory: https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx
    - fix: https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613
source:
    id: GHSA-c9p4-xwr9-rfhx
    created: 2025-01-17T23:01:24.931903816Z
review_status: UNREVIEWED