Authorization Bypass Through User-Controlled Key

Summary

Zot is an OCI image registry. The cache driver `GetBlob()` allows read access to any blob without access control checking. If an `accessControl` policy allows users to read access to some repositories but restricts access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (do not have read access to), they may maliciously read it via a second repository they do have read access to. This attack is possible [`ImageStore.CheckBlob()` is called `checkCacheBlob()`] to find the blob in a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`. The attack may be mitigated by configuring "dedupe : false" in the "storage" settings. This issue affects the package github/project-zot/zot versions prior to 2.1.0.