CVE-2025-59823
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-09-26

Assigner: GitHub, Inc.

Description
Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-09-26
Generated
2026-05-07
AI Q&A
2025-09-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59823
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
gardener gardener-extension-provider-openstack <1.49.0
gardener gardener-extension-provider-azure <1.55.0
gardener gardener-extension-provider-aws <1.64.0
gardener gardener-extension-provider-gcp <1.46.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a code injection issue in Project Gardener's extensions for various cloud providers (AWS, Azure, OpenStack, GCP) before certain versions. It allows a user with administrative privileges on a Gardener project to potentially execute arbitrary code and gain control over the seed cluster that manages the shoot cluster. This affects installations using Terraformer for infrastructure provisioning with the affected components.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker with administrative access to a Gardener project to take control of the seed cluster, leading to full compromise of the cluster management infrastructure. This could result in unauthorized access, data loss, service disruption, and further attacks within the Kubernetes environment.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade Gardener Extensions to the patched versions: AWS providers to version 1.64.0 or later, Azure providers to version 1.55.0 or later, OpenStack providers to version 1.49.0 or later, and GCP providers to version 1.46.0 or later. Additionally, review and restrict administrative privileges for Gardener projects to limit potential exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart