GHSA-vxg3-w9rv-rhr2: Contrast leaks workload secrets to logs on INFO level
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.
Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.
References
- github.com/advisories/GHSA-vxg3-w9rv-rhr2
- github.com/edgelesssys/contrast
- github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
- github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554
- github.com/edgelesssys/contrast/pull/1739
- github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8
- github.com/edgelesssys/contrast/security/advisories/GHSA-vxg3-w9rv-rhr2
Code Behaviors & Features
Detect and mitigate GHSA-vxg3-w9rv-rhr2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →