CRITICAL🇵🇱 Wersja polska

CVE-2025-47284

CVSS 9.9v3.1pub. 2025-05-19upd. 2025-09-04

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations where gardener/gardener-extension-provider-gcp is in use. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.

🤖 AI Analysis
How it works

The vulnerability (CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences) is present in the `gardenlet` component, which is responsible for managing the lifecycle of Kubernetes clusters. A user with administrative privileges within a Gardener project can use it to exceed their granted scope of access. As a result, the attacker is able to gain control over the seed cluster — the parent infrastructure that manages shoot clusters belonging to their project. The attack vector is network-based, requires no user interaction, and does not require particularly high initial privileges (project-level privileges are sufficient).

Impact

An attacker can gain full control over the seed cluster, which in practice means the ability to compromise the confidentiality, integrity, and availability of all Kubernetes clusters managed by it and potentially other resources of the shared infrastructure.

Mitigation & patch

The `gardenlet` component must be updated to version 1.116.4, 1.117.5, 1.118.2, or 1.119.0 (depending on the branch in use), in which the vendor has removed the described vulnerability. Detailed information is available in the official security advisory on GitHub: https://github.com/gardener/gardener/security/advisories/GHSA-9x73-87fh-54w9

Who is affected

All Gardener installations using the gardener/gardener-extension-provider-gcp extension in which the `gardenlet` component is running versions earlier than 1.116.4, 1.117.5, 1.118.2, and 1.119.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Gardener

    APP
    Gardener
    < 1.116.41.117.0 – 1.117.5 (bez)1.118.0 – 1.118.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2025-47283CRITICAL9.9PL ✓ten sam produkt

Eskalacja uprawnień w Gardener — przejęcie kontroli nad seed cluster

CVE-2019-12494HIGH8.5ten sam produkt

In Gardener before 0.20.0, incorrect access control in seed clusters allows information disclosure by sending ...

CVE-2018-2475HIGH8.5ten sam produkt

Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in t...