Headline
GHSA-3hw7-qj9h-r835: Gardener allows bypassing project secret validation which can lead to privilege escalation
A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.
Affected Components
gardener/gardener
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-47283
Gardener allows bypassing project secret validation which can lead to privilege escalation
Critical severity GitHub Reviewed Published May 19, 2025 in gardener/gardener • Updated May 19, 2025
Package
gomod github.com/gardener/gardener (Go)
Affected versions
< 1.116.4
>= 1.117.0, < 1.117.5
>= 1.118.0, < 1.118.2
Patched versions
1.116.4
1.117.5
1.118.2
A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.
Affected Components
- gardener/gardener
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
References
- GHSA-3hw7-qj9h-r835
Published to the GitHub Advisory Database
May 19, 2025
Last updated
May 19, 2025