GHSA-VXG3-W9RV-RHR2

Vulnerability from github – Published: 2025-08-28 16:46 – Updated: 2025-08-28 16:46
VLAI
Summary
Contrast leaks workload secrets to logs on INFO level
Details

This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.

Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.

Impact

  • Workload secrets are visible to Kubernetes users with get or list permission on pods/logs, and thus need to be considered compromised.
  • Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.

Patches

Patches:

  • https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
  • https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554

The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.

Workarounds

Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.

References

First occurrence: * https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8

We are defining a process for handling GHSAs that should prevent such regressions in the future: * https://github.com/edgelesssys/contrast/pull/1739

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.12.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/contrast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T16:46:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release `v1.8.1`, but the fix was not ported to the main branch and thus not present in releases `v1.9.0` ff.\n\nBelow is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.\n\n### Impact\n\n* [Workload secrets](https://docs.edgeless.systems/contrast/1.11/architecture/secrets#workload-secrets) are visible to Kubernetes users with `get` or `list` permission on `pods/logs`, and thus need to be considered compromised.\n* Since workload secrets are used for [encrypted storage](https://docs.edgeless.systems/contrast/1.11/howto/encrypted-storage) and [Vault integration](https://docs.edgeless.systems/contrast/1.11/howto/vault), those need to be considered compromised, too.\n\n### Patches\n\nPatches:\n\n* https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225\n* https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554\n\nThe patches are released with `v1.12.2` and `v1.13.0` (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.\n\n### Workarounds\n\nExisting workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off. \n\n### References\n\nFirst occurrence:\n* https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8\n\nWe are defining a process for handling GHSAs that should prevent such regressions in the future:\n* https://github.com/edgelesssys/contrast/pull/1739",
  "id": "GHSA-vxg3-w9rv-rhr2",
  "modified": "2025-08-28T16:46:40Z",
  "published": "2025-08-28T16:46:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-vxg3-w9rv-rhr2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/pull/1739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/contrast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Contrast leaks workload secrets to logs on INFO level"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…