Home

Description

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations where gardener/gardener-extension-provider-gcp is in use. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.

PUBLISHED Reserved 2025-05-05 | Published 2025-05-19 | Updated 2025-05-20 | Assigner GitHub_M




CRITICAL: 9.9CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

Product status

< 1.116.4
affected

>= 1.117.0, < 1.117.5
affected

>= 1.118.0, < 1.118.2
affected

References

github.com/...rdener/security/advisories/GHSA-9x73-87fh-54w9

cve.org (CVE-2025-47284)

nvd.nist.gov (CVE-2025-47284)

Download JSON