GHSA-9x73-87fh-54w9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9x73-87fh-54w9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9x73-87fh-54w9/GHSA-9x73-87fh-54w9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9x73-87fh-54w9
- Aliases
-
- CVE-2025-47284
- GO-2025-3698
- Published
- 2025-05-19T21:09:32Z
- Modified
- 2025-05-23T16:13:19.439340Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Gardener allows metadata injection for a project secret which can lead to privilege escalation
- Details
-
A security vulnerability was discovered in the
gardenletcomponent of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.Am I Vulnerable?
This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.
Affected Components
gardener/gardener(gardenlet)
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
- Database specific
{ "nvd_published_at": "2025-05-19T19:15:51Z", "cwe_ids": [ "CWE-150" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-19T21:09:32Z" }- References
Affected packages
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener
Go / github.com/gardener/gardener
Package
- Name
- github.com/gardener/gardener
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardener