PT-2025-36636 · Go · Github.Com/Edgelesssys/Contrast

Publicado

2025-08-28

·

Atualizado

2025-08-28

CVSS v3.1

7.3

Alta

VetorAV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.
Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.

Impact

  • Workload secrets are visible to Kubernetes users with get or list permission on pods/logs, and thus need to be considered compromised.
  • Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.

Patches

Patches:
The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.

Workarounds

Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.

References

First occurrence:
We are defining a process for handling GHSAs that should prevent such regressions in the future:

Correção

Insertion into Log File

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-532

Identificadores relacionados

GHSA-VXG3-W9RV-RHR2

Produtos afetados

Github.Com/Edgelesssys/Contrast