x/vulndb: potential Go vuln in github.com/edgelesssys/contrast: GHSA-f5p4-p5q5-jv3h #4078
Description
Advisory GHSA-f5p4-p5q5-jv3h references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/edgelesssys/contrast |
Description:
Summary
A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.
LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known ke...
References:
- ADVISORY: GHSA-f5p4-p5q5-jv3h
- ADVISORY: GHSA-f5p4-p5q5-jv3h
- FIX: edgelesssys/contrast@2252a23
- FIX: cryptsetup: detached header verification, refactor edgelesssys/contrast#1731
Cross references:
- github.com/edgelesssys/contrast appears in 4 other report(s):
- data/reports/GO-2025-3455.yaml (x/vulndb: potential Go vuln in github.com/edgelesssys/contrast: GHSA-vqv5-385r-2hf8 #3455)
- data/reports/GO-2025-3718.yaml (x/vulndb: potential Go vuln in github.com/edgelesssys/contrast: GHSA-h5f8-crrq-4pw8 #3718)
- data/reports/GO-2025-3807.yaml (x/vulndb: potential Go vuln in github.com/edgelesssys/contrast: GHSA-phhq-63jg-fp7r #3807)
- data/reports/GO-2025-3920.yaml (x/vulndb: potential Go vuln in github.com/edgelesssys/contrast: GHSA-vxg3-w9rv-rhr2 #3920)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/edgelesssys/contrast
non_go_versions:
- introduced: TODO (earliest fixed "1.12.1", vuln range "<= 1.12.0")
vulnerable_at: 1.14.0
summary: Contrast has insecure LUKS2 persistent storage partitions may be opened and used in github.com/edgelesssys/contrast
ghsas:
- GHSA-f5p4-p5q5-jv3h
references:
- advisory: https://github.com/advisories/GHSA-f5p4-p5q5-jv3h
- advisory: https://github.com/edgelesssys/contrast/security/advisories/GHSA-f5p4-p5q5-jv3h
- fix: https://github.com/edgelesssys/contrast/commit/2252a231d570c2dce10a33660452b0bfc3c43958
- fix: https://github.com/edgelesssys/contrast/pull/1731
source:
id: GHSA-f5p4-p5q5-jv3h
created: 2025-10-28T18:01:12.318754477Z
review_status: UNREVIEWED