GHSA-3hw7-qj9h-r835
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hw7-qj9h-r835
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-3hw7-qj9h-r835/GHSA-3hw7-qj9h-r835.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3hw7-qj9h-r835
- Aliases
-
- CVE-2025-47283
- GO-2025-3696
- Published
- 2025-05-19T19:15:03Z
- Modified
- 2025-05-23T16:13:19.507199Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Gardener allows bypassing project secret validation which can lead to privilege escalation
- Details
-
A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.
Affected Components
gardener/gardener
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
- Database specific
{ "nvd_published_at": "2025-05-19T19:15:51Z", "cwe_ids": [ "CWE-20", "CWE-269" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-19T19:15:03Z" }- References
Affected packages
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener