PT-2025-36636 · Go · Github.Com/Edgelesssys/Contrast

Published

2025-08-28

·

Updated

2025-08-28

CVSS v3.1

7.3

High

VectorAV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.
Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.

Impact

  • Workload secrets are visible to Kubernetes users with get or list permission on pods/logs, and thus need to be considered compromised.
  • Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.

Patches

Patches:
The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.

Workarounds

Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.

References

First occurrence:
We are defining a process for handling GHSAs that should prevent such regressions in the future:

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

GHSA-VXG3-W9RV-RHR2

Affected Products

Github.Com/Edgelesssys/Contrast