9.9

CVE-2025-47283

Bypassing project secret validation can lead to privilege escalation

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GardenerGardener Version < 1.116.4
GardenerGardener Version >= 1.117.0 < 1.117.5
GardenerGardener Version >= 1.118.0 < 1.118.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.54% 0.41
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.9 3.1 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com 9.9 3.1 6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835
Third Party Advisory
https://github.com/gardener/gardener/commit/924b1575aae052bcda5a51fac8594d38fa3c41b0
https://github.com/gardener/gardener/commit/b89cf2cd5067e82f364063d5241af73650a6e11d
https://github.com/gardener/gardener/commit/bbd19b1dd3a31843d7b820172d37f75298dfaf8b
https://github.com/gardener/gardener/commit/cf4e9887d83902216b85609caf563f7a9dd2de00