Karl.Fail

Tag: cwe-150

  • CVE-2025-47284: Critical Privilege Escalation in Gardener via Metadata Injection

    Overview

    On May 19, 2025, a critical security vulnerability was published under the identifier CVE-2025-47284, affecting the Gardener project—a tool used for the automated management of Kubernetes clusters as a service. The issue resides in the gardenlet component and poses a serious risk of privilege escalation due to improper handling of metadata injection.

    What is Gardener?

    Gardener is an open-source project developed by SAP that provides Kubernetes-as-a-Service by automating the provisioning and operation of Kubernetes clusters. It uses a control plane for each managed cluster and supports multi-cloud environments. A component called gardenlet is deployed on seed clusters to manage shoot clusters on behalf of users.

    Vulnerability Details

    The vulnerability arises from improper neutralization of escape, meta, or control sequences, classified as CWE-150. Specifically, metadata injection into project secrets can be exploited by an attacker with administrative privileges over a Gardener project. This enables the attacker to escalate their privileges and gain control over the seed clusters that host the shoot clusters for that project.

    All Gardener installations using the gardener/gardener-extension-provider-gcp module are affected.

    Technical Impact

    • CVSS v3.0 Score: 9.9 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, and Availability Impact: High

    The vulnerability can be exploited remotely over the network and requires only low-level privileges within the Gardener project. No user interaction is required. Once exploited, the attacker can manipulate critical cluster management operations and compromise the integrity and availability of managed Kubernetes environments.

    Affected Versions

    • Gardener versions < 1.116.4
    • Gardener 1.117.0 to < 1.117.5
    • Gardener 1.118.0 to < 1.118.2

    Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 contain patches addressing this issue.

    Mitigation

    It is strongly recommended that users upgrade to the latest patched versions of Gardener as listed above. Immediate action is required for any deployments using the vulnerable gardener-extension-provider-gcp module.

    Conclusion

    CVE-2025-47284 underscores the importance of secure metadata handling in cloud-native platforms. With a near-maximum CVSS score and the potential for full cluster compromise, this flaw should be addressed promptly by all affected users. For more details, refer to the GitHub security advisory.