Bypassing project secret validation can lead to privilege escalation
Description
Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. gardener/gardener (gardenlet) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gardener/gardenerGo | < 1.116.4 | 1.116.4 |
github.com/gardener/gardenerGo | >= 1.117.0, < 1.117.5 | 1.117.5 |
github.com/gardener/gardenerGo | >= 1.118.0, < 1.118.2 | 1.118.2 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/gardener/gardenerpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.116.4+ 1 more
- (no CPE)range: < 1.116.4
- (no CPE)range: < 0.0.20250523T151856-1.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-3hw7-qj9h-r835ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47283ghsaADVISORY
- github.com/gardener/gardener/commit/924b1575aae052bcda5a51fac8594d38fa3c41b0ghsax_refsource_MISCWEB
- github.com/gardener/gardener/commit/b89cf2cd5067e82f364063d5241af73650a6e11dghsax_refsource_MISCWEB
- github.com/gardener/gardener/commit/bbd19b1dd3a31843d7b820172d37f75298dfaf8bghsax_refsource_MISCWEB
- github.com/gardener/gardener/commit/cf4e9887d83902216b85609caf563f7a9dd2de00ghsax_refsource_MISCWEB
- github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.