Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-vxg3-w9rv-rhr2
GHSA-vxg3-w9rv-rhr2:
vulnerability analysis and mitigation
Overview
The vulnerability (GHSA-vxg3-w9rv-rhr2) affects the Contrast software package, specifically versions 1.9.0 through 1.12.1. This is a reoccurrence of a previously fixed vulnerability (GHSA-h5f8-crrq-4pw8) where workload secrets are leaked to logs at the INFO level. The vulnerability was discovered and disclosed on August 28, 2025, and has been patched in version 1.12.2 (GitHub Advisory).
Technical details
The vulnerability occurs when the Contrast initializer logs workload secrets to stderr and Kubernetes logs when configured with a CONTRASTLOGLEVEL of info or debug. This is particularly concerning as 'info' is the default logging level. The vulnerability has been assigned a CVSS score of 7.3 (High) with the following metrics: Adjacent attack vector, Low attack complexity, Low privileges required, No user interaction, Unchanged scope, High confidentiality impact, High integrity impact, and No availability impact. The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File (GitHub Advisory).
Impact
The vulnerability exposes workload secrets to unauthorized users who have Kubernetes pods/logs access permissions. Since these workload secrets are used for encrypted storage and Vault integration, both systems should be considered compromised. The exposure extends to Kubernetes users with get or list permissions on pods/logs and potentially to cloud providers with read access to Kubernetes log storage (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in version 1.12.2. Due to the nature of the compromise, affected systems need to be initialized from scratch. As a temporary workaround, logging needs to be turned off, and the Contrast cluster requires new initialization. The fix was implemented through two patches (5a5512c and cf58026) that modify the logging behavior to prevent secret exposure (GitHub Advisory).
Community reactions
In response to this vulnerability, the Edgeless Systems team is implementing a new process for handling security advisories to prevent similar regressions in the future, as documented in their repository issue #1739 (GitHub PR).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management