Headline

GHSA-xwgg-m7fx-83wx: Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed.

Am I Vulnerable?

This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.

Affected Components

gardener/external-dns-management

Affected Versions

< 0.23.6

Fixed Versions

>= 0.23.6

Important

The external-dns-management component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the shoot-dns-service extension <= v1.60.0 are affected by this vulnerability.

How do I mitigate this vulnerability?

Update to a fixed version.

5 hours ago

ghsa

Open in Source

#vulnerability #google #git

Am I Vulnerable?

This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.

Affected Components

gardener/external-dns-management

Affected Versions

< 0.23.6

Fixed Versions

>= 0.23.6

Important

The external-dns-management component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the shoot-dns-service extension <= v1.60.0 are affected by this vulnerability.

How do I mitigate this vulnerability?

Update to a fixed version.

References