GHSA-RH99-WC69-C255: GHSA-RH99-WC69-C255: CopyFile Policy Subversion via Symlinks in Edgeless Systems Contrast

#security #cve #cybersecurity #ghsa

GHSA-RH99-WC69-C255: CopyFile Policy Subversion via Symlinks in Edgeless Systems Contrast

Vulnerability ID: GHSA-RH99-WC69-C255
CVSS Score: 8.4
Published: 2026-04-30

The Edgeless Systems Contrast CLI contains a high-severity vulnerability in its policy generation logic for the Kata Containers agent. It fails to properly restrict symbolic link resolution during CopyFile operations, allowing attackers to subvert container isolation policies and exfiltrate sensitive data from the Trusted Execution Environment (TEE).

TL;DR

Contrast CLI versions prior to v1.19.1 generate insecure policies for the Kata Containers agent. An attacker can use symbolic links to bypass CopyFile restrictions, accessing unauthorized files within the confidential virtual machine. Upgrading to v1.19.1 and regenerating policies remediates the issue.

Technical Details

CWE ID: CWE-59
Attack Vector: Local Container Execution
CVSS Score: 8.4
Impact: Data Exfiltration, Policy Bypass
Exploit Status: No public PoC
Remediation: Upgrade CLI and Regenerate Policies

Affected Systems

Edgeless Systems Contrast CLI
Kata Containers Agent
Contrast CLI: < 1.19.1 (Fixed in: v1.19.1)

Mitigation Strategies

Upgrade the Contrast CLI to version v1.19.1 or higher.
Regenerate Kata agent policies using the patched CLI.
Redeploy existing confidential container workloads with the newly generated policies.

Remediation Steps:

Run go install github.com/edgelesssys/contrast@v1.19.1 or download the latest binary release.
Execute the updated Contrast CLI to build new security policy files for your workloads.
Apply the new policies to your Kubernetes manifests or deployment scripts.
Restart the Kata Container pods to enforce the new symlink restrictions.