CRITICAL🇵🇱 Wersja polska

CVE-2025-47283

CVSS 9.9v3.1pub. 2025-05-19upd. 2026-02-06

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.

🤖 AI Analysis
How it works

An improper input validation error (CWE-20) in the `gardenlet` component allows a privileged user of the Gardener project to perform actions beyond their normal scope of permissions. As a result of exploiting the vulnerability, an attacker can go beyond the boundaries of their project and gain unauthorized access to the seed cluster infrastructure, which serves multiple users and many shoot clusters. The attack does not require victim interaction or special network conditions — only administrative privileges within the Gardener project are needed.

Impact

An attacker can take full control of seed cluster(s), leading to a breach of confidentiality, integrity, and availability of both the seed infrastructure and all shoot clusters managed by it belonging to other users.

Mitigation & patch

Gardener must be updated immediately to version 1.116.4, 1.117.5, 1.118.2, or 1.119.0 (depending on the branch in use). Fixes were introduced in the above-mentioned versions by the project maintainers. Details are available in security advisory GHSA-3hw7-qj9h-r835.

Who is affected

All Gardener installations (`gardener/gardener`, `gardenlet` component) in versions earlier than 1.116.4, 1.117.5, 1.118.2, and 1.119.0, regardless of the public cloud provider used.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Gardener

    APP
    Gardener
    < 1.116.41.117.0 – 1.117.5 (bez)1.118.0 – 1.118.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2025-47284CRITICAL9.9PL ✓ten sam produkt

Eskalacja uprawnień w Gardener — przejęcie kontroli nad seed cluster

CVE-2019-12494HIGH8.5ten sam produkt

In Gardener before 0.20.0, incorrect access control in seed clusters allows information disclosure by sending ...

CVE-2018-2475HIGH8.5ten sam produkt

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in t...