GHSA-rh99-wc69-c255
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rh99-wc69-c255
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rh99-wc69-c255/GHSA-rh99-wc69-c255.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rh99-wc69-c255
- Published
- 2026-04-30T20:57:17Z
- Modified
- 2026-05-05T16:10:34.745646Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Contras Affected by CopyFile Policy Subversion via Symlinks
- Details
-
Impact
The Kata agent policies generated by the Contrast CLI had an issue in the
CopyFileverification, which allowed arbitrary writes to the guest root filesytem. A malicious process on the host with the capability to connect to the Kata agent VSOCK could connect to the agent and issue a series ofCopyFilerequests to overwrite security-critical files or trick the workload into disclosing sensitive data, which effectively amounts to a full guest takeover.Patches
This issue has been patched in Contrast v1.19.1.
Note that this fix does not change the fact that host-provided content is generally not trustworthy, as documented.
Workarounds
If upgrading is not possible, users can implement the fix in rego and pass it to
contrast generate --policy. The rego-only fix is a bit trickier than the patch, because the data to check is binary. See the references for details.Resources
- Upstream GHSA: https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc
- Alternative policy-only fix: https://gist.github.com/burgerdev/304dd0ab0fff1665b7c27e18a30cf96e
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-30T20:57:17Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-59" ] }- References
-
- https://github.com/edgelesssys/contrast/security/advisories/GHSA-rh99-wc69-c255
- https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc
- https://gist.github.com/burgerdev/304dd0ab0fff1665b7c27e18a30cf96e
- https://github.com/edgelesssys/contrast
- https://github.com/edgelesssys/contrast/releases/tag/v1.19.1
Affected packages
Go / github.com/edgelesssys/contrast
Package
- Name
- github.com/edgelesssys/contrast
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/edgelesssys/contrast