GHSA-fw33-qpx7-rhx2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fw33-qpx7-rhx2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fw33-qpx7-rhx2/GHSA-fw33-qpx7-rhx2.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fw33-qpx7-rhx2
- Aliases
- Published
- 2025-12-11T16:48:48Z
- Modified
- 2025-12-12T16:16:50.012963Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- gardenctl is vulnerable to Command Injection when used with non‑POSIX shells
- Details
-
A security vulnerability was discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device.
Am I vulnerable? This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-12-11T16:48:48Z", "cwe_ids": [ "CWE-77" ], "nvd_published_at": "2025-12-12T06:15:40Z" }- References
Affected packages
Go / github.com/gardener/gardenctl-v2
Package
- Name
- github.com/gardener/gardenctl-v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gardener/gardenctl-v2