VYPR
Critical severityNVD Advisory· Published May 19, 2025· Updated Feb 6, 2026

Bypassing project secret validation can lead to privilege escalation

CVE-2025-47283

Description

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. gardener/gardener (gardenlet) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gardener/gardenerGo
< 1.116.41.116.4
github.com/gardener/gardenerGo
>= 1.117.0, < 1.117.51.117.5
github.com/gardener/gardenerGo
>= 1.118.0, < 1.118.21.118.2

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.