Headline
GHSA-9x73-87fh-54w9: Gardener allows metadata injection for a project secret which can lead to privilege escalation
A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.
Affected Components
gardener/gardener(gardenlet)
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-47284
Gardener allows metadata injection for a project secret which can lead to privilege escalation
Critical severity GitHub Reviewed Published May 19, 2025 in gardener/gardener • Updated May 19, 2025
Package
gomod github.com/gardener/gardener (Go)
Affected versions
< 1.116.4
>= 1.117.0, < 1.117.5
>= 1.118.0, < 1.118.2
Patched versions
1.116.4
1.117.5
1.118.2
A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.
Affected Components
- gardener/gardener (gardenlet)
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
References
- GHSA-9x73-87fh-54w9
Published to the GitHub Advisory Database
May 19, 2025
Last updated
May 19, 2025