Описание
zot logs secrets
Summary
When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.
Details
Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem:
http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } }
PoC
Set up a blank new zot k8s deployment with the code snippet above.
Impact
exposure of secrets, on configuring a oidc provider
Пакеты
zotregistry.dev/zot
< 1.4.4-0.20250522160828-8a99a3ed231f
1.4.4-0.20250522160828-8a99a3ed231f
Связанные уязвимости
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue.