GHSA-9x73-87fh-54w9

Source

https://github.com/advisories/GHSA-9x73-87fh-54w9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9x73-87fh-54w9/GHSA-9x73-87fh-54w9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9x73-87fh-54w9

Aliases

Published

2025-05-19T21:09:32Z

Modified

2025-05-23T17:59:47.018966Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Gardener allows metadata injection for a project secret which can lead to privilege escalation

Details

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Am I Vulnerable?

This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.

Affected Components

gardener/gardener (gardenlet)

Affected Versions

< v1.116.4
< v1.117.5
< v1.118.2
< v1.119.0

Fixed Versions

>= v1.116.4
>= v1.117.5
>= v1.118.2
>= v1.119.0

How do I mitigate this vulnerability?

Update to a fixed version.

Database specific

{
    "cwe_ids": [
        "CWE-150"
    ],
    "nvd_published_at": "2025-05-19T19:15:51Z",
    "github_reviewed_at": "2025-05-19T21:09:32Z",
    "github_reviewed": true,
    "severity": "CRITICAL"
}

References

Affected packages

Go / github.com/gardener/gardener

Package

Name: github.com/gardener/gardener; View open source insights on deps.dev
Purl: pkg:golang/github.com/gardener/gardener

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.116.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9x73-87fh-54w9/GHSA-9x73-87fh-54w9.json"

Go / github.com/gardener/gardener

Package

Name: github.com/gardener/gardener; View open source insights on deps.dev
Purl: pkg:golang/github.com/gardener/gardener

Affected ranges

Type: SEMVER
Events: Introduced

1.117.0

Fixed

1.117.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9x73-87fh-54w9/GHSA-9x73-87fh-54w9.json"

Go / github.com/gardener/gardener

Package

Name: github.com/gardener/gardener; View open source insights on deps.dev
Purl: pkg:golang/github.com/gardener/gardener

Affected ranges

Type: SEMVER
Events: Introduced

1.118.0

Fixed

1.118.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9x73-87fh-54w9/GHSA-9x73-87fh-54w9.json"