GSA_kwCzR0hTQS05eDczLTg3ZmgtNTR3Oc4ABIG4

Critical EPSS: 0.00069% (0.21517 Percentile) EPSS:

Permalink JSON

Gardener allows metadata injection for a project secret which can lead to privilege escalation

Affected Packages	Affected Versions	Fixed Versions
go:github.com/gardener/gardener PURL: `pkg:go/github.com%2Fgardener%2Fgardener`	>= 1.118.0, < 1.118.2, >= 1.117.0, < 1.117.5, < 1.116.4	1.118.2, 1.117.5, 1.116.4
168 Dependent packages 200 Dependent repositories Affected Version Ranges All affected versions 0.32.0, 0.32.1, 0.32.2, 0.33.0, 0.33.1, 0.33.2, 0.33.3, 0.33.4, 0.33.5, 0.33.6, 0.33.7, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.22.6, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.27.5, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.30.0, 1.30.1, 1.30.2, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.34.0, 1.34.1, 1.35.0, 1.35.1, 1.36.0, 1.36.1, 1.36.2, 1.37.0, 1.37.1, 1.37.2, 1.37.3, 1.37.4, 1.37.5, 1.37.6, 1.37.7, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.38.5, 1.38.6, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.39.5, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.40.5, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.41.4, 1.41.5, 1.41.6, 1.41.7, 1.41.8, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.42.5, 1.42.6, 1.43.0, 1.43.1, 1.43.2, 1.43.3, 1.43.4, 1.43.5, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.44.5, 1.44.6, 1.45.0, 1.45.1, 1.46.0, 1.46.1, 1.46.2, 1.46.3, 1.47.0, 1.47.1, 1.47.2, 1.48.0, 1.48.1, 1.48.2, 1.48.3, 1.48.4, 1.48.5, 1.48.6, 1.48.7, 1.49.0, 1.49.1, 1.49.2, 1.49.3, 1.49.4, 1.50.0, 1.50.1, 1.50.2, 1.51.0, 1.51.1, 1.52.0, 1.52.1, 1.52.2, 1.52.3, 1.53.0, 1.53.1, 1.53.2, 1.53.3, 1.53.4, 1.54.0, 1.54.1, 1.55.0, 1.55.1, 1.56.0, 1.56.1, 1.56.2, 1.57.0, 1.57.1, 1.57.2, 1.58.0, 1.58.1, 1.58.2, 1.58.3, 1.59.0, 1.59.1, 1.59.2, 1.59.3, 1.60.0, 1.60.1, 1.60.2, 1.60.3, 1.60.4, 1.60.5, 1.60.6, 1.60.7, 1.61.0, 1.61.1, 1.61.2, 1.61.3, 1.61.4, 1.61.5, 1.61.6, 1.62.0, 1.62.1, 1.62.2, 1.62.3, 1.63.0, 1.63.1, 1.63.2, 1.64.0, 1.64.1, 1.64.2, 1.64.3, 1.64.4, 1.65.0, 1.65.1, 1.65.2, 1.65.3, 1.65.4, 1.66.0, 1.66.1, 1.66.2, 1.66.3, 1.67.0, 1.67.1, 1.67.2, 1.67.3, 1.68.0, 1.68.1, 1.69.0, 1.69.1, 1.69.2, 1.69.3, 1.70.0, 1.70.1, 1.70.2, 1.70.3, 1.71.0, 1.71.1, 1.71.2, 1.71.3, 1.71.4, 1.71.5, 1.71.6, 1.72.0, 1.72.1, 1.72.2, 1.72.3, 1.73.0, 1.73.1, 1.73.2, 1.74.0, 1.74.1, 1.74.2, 1.74.3, 1.75.0, 1.75.1, 1.75.2, 1.76.0, 1.76.1, 1.76.2, 1.76.3, 1.76.4, 1.77.0, 1.77.1, 1.77.2, 1.77.3, 1.77.4, 1.77.5, 1.77.6, 1.78.0, 1.78.1, 1.78.2, 1.78.3, 1.78.4, 1.78.5, 1.79.0, 1.79.1, 1.79.2, 1.79.3, 1.80.0, 1.80.1, 1.80.2, 1.80.3, 1.80.4, 1.80.5, 1.80.6, 1.80.7, 1.81.0, 1.81.1, 1.81.2, 1.81.3, 1.81.4, 1.81.5, 1.81.6, 1.81.7, 1.82.0, 1.82.1, 1.82.2, 1.82.3, 1.83.0, 1.83.1, 1.83.2, 1.83.3, 1.84.0, 1.84.1, 1.84.2, 1.84.3, 1.85.0, 1.85.1, 1.85.2, 1.85.3, 1.85.4, 1.85.5, 1.86.0, 1.86.1, 1.86.2, 1.86.3, 1.86.4, 1.87.0, 1.87.1, 1.87.2, 1.87.3, 1.87.4, 1.88.0, 1.88.1, 1.88.2, 1.88.3, 1.89.0, 1.89.1, 1.89.2, 1.89.3, 1.89.4, 1.90.0, 1.90.1, 1.90.2, 1.90.3, 1.90.4, 1.90.5, 1.90.6, 1.90.7, 1.90.8, 1.91.0, 1.91.1, 1.91.2, 1.91.3, 1.91.4, 1.92.0, 1.92.1, 1.92.2, 1.92.3, 1.93.0, 1.93.1, 1.94.0, 1.94.1, 1.94.2, 1.94.3, 1.94.4, 1.94.5, 1.95.0, 1.95.1, 1.95.2, 1.95.3, 1.95.4, 1.95.5, 1.95.6, 1.96.0, 1.96.1, 1.96.2, 1.96.3, 1.96.4, 1.96.5, 1.96.6, 1.97.0, 1.97.1, 1.97.2, 1.97.3, 1.97.4, 1.98.0, 1.98.1, 1.98.2, 1.98.3, 1.98.4, 1.98.5, 1.98.6, 1.99.0, 1.99.1, 1.99.2, 1.99.3, 1.99.4, 1.100.0, 1.100.1, 1.100.2, 1.101.0, 1.101.1, 1.101.2, 1.101.3, 1.102.0, 1.102.1, 1.102.2, 1.103.0, 1.103.1, 1.103.2, 1.104.0, 1.104.1, 1.104.2, 1.104.3, 1.105.0, 1.105.1, 1.105.2, 1.105.3, 1.106.0, 1.106.1, 1.106.2, 1.107.0, 1.107.1, 1.107.2, 1.107.3, 1.108.0, 1.108.1, 1.109.0, 1.110.0, 1.110.1, 1.110.2, 1.110.3, 1.110.4, 1.114.3, 1.115.0, 1.115.1, 1.115.2, 1.115.3, 1.115.4, 1.116.0, 1.116.1, 1.116.2, 1.116.3, 1.117.0, 1.117.1, 1.117.2, 1.117.3, 1.117.4, 1.118.0, 1.118.1 All unaffected versions 1.116.4, 1.117.5, 1.117.6, 1.118.2, 1.118.3, 1.119.0, 1.119.1, 1.119.2, 1.120.0, 1.120.1, 1.120.2, 1.120.3, 1.120.4, 1.121.0, 1.121.1, 1.121.2, 1.121.3, 1.121.4, 1.121.5, 1.122.0, 1.122.1, 1.122.2, 1.122.3, 1.123.0, 1.123.1, 1.123.2, 1.123.3, 1.123.4, 1.124.0, 1.124.1, 1.124.2, 1.125.0, 1.125.1

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Am I Vulnerable?

This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.

Affected Components

gardener/gardener (gardenlet)

Affected Versions

< v1.116.4
< v1.117.5
< v1.118.2
< v1.119.0

Fixed Versions

>= v1.116.4
>= v1.117.5
>= v1.118.2
>= v1.119.0

How do I mitigate this vulnerability?

Update to a fixed version.

References:

Identifiers

GHSA-9x73-87fh-54w9

CVE-2025-47284

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00069

EPSS Percentile: 0.21517

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/gardener/gardener

Date and time

Published

4 months ago

Updated

4 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories