Listen to this Post
The vulnerability, a regression of GHSA-h5f8-crrq-4pw8, exists in the Contrast Security Kubernetes agent. A prior fix for sensitive information disclosure was correctly implemented in release v1.8.1 but was accidentally omitted from subsequent releases starting with v1.9.0 due to not being merged into the main development branch. This flaw allows unauthorized access to workload secrets, which are sensitive data like encryption keys and credentials stored within the application. These secrets are inadvertently exposed through the application’s log output. Any Kubernetes user with standard `get` or `list` permissions on the `pods/logs` resource can retrieve these logs, thereby gaining access to the plaintext secrets. Consequently, all secrets used for encrypted storage and Vault integration must be considered fully compromised, requiring a complete re-initialization of the Contrast environment.
Platform: Kubernetes (Contrast)
Version: 1.9.0-1.12.1
Vulnerability: Information Disclosure
Severity: Critical
date: 2024-05-23
Prediction: Patch: 2024-06-06
What Undercode Say:
kubectl get pods --namespace contrast kubectl logs pod/contrast-agent-pod --namespace contrast
grep -r "secret" /var/log/contrast/
cat /etc/contrast/secrets.yaml
How Exploit:
`kubectl get logs` command exposure.
Protection from this CVE:
Upgrade to v1.12.2+.
Disable logging.
Reinitialize cluster secrets.
Impact:
Workload secrets compromised.
Vault integration compromised.
Requires full cluster reinitialization.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
