GHSA-h5f8-crrq-4pw8: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-h5f8-crrq-4pw8) was discovered in the Contrast workload system affecting versions 1.8.0 and earlier. The vulnerability involves the exposure of workload secrets through logging when the Contrast initializer is configured with CONTRASTLOGLEVEL set to info or debug. This issue was published on May 27, 2025, and affects the github.com/edgelesssys/contrast Go module (GitHub Advisory).

The vulnerability occurs when the Contrast initializer logs workload secrets to stderr and Kubernetes logs at INFO level logging, which is the default configuration. The issue has been assigned a CVSS score of 7.3 (High) with a vector string of CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-532 and requires adjacent network access with low attack complexity (GitHub Advisory).

The vulnerability exposes workload secrets to unauthorized parties including Kubernetes users with get or list permissions on pods/logs and entities with read access to Kubernetes log storage, including cloud providers. This exposure breaches the intended access control where only specific parties (Contrast Coordinator, Contrast Initializer, Seedshare owner, and Workload owner) should have access to these secrets. Applications that don't use workload secrets or are designed for workload owner exclusion are not affected (GitHub Advisory).

The vulnerability has been patched in version 1.8.1. For users unable to upgrade immediately, a workaround is available by adding the environment variable CONTRASTLOGLEVEL=warn to the initializer after running contrast generate, followed by running contrast generate again (GitHub Advisory).