Karl.Fail

Tag: dns

  • CVE-2025-47282: Critical Privilege Escalation in Gardener External DNS Management

    Overview

    A critical security vulnerability identified as CVE-2025-47282 has been disclosed in Gardener External DNS Management, affecting all versions prior to 0.23.6. This flaw allows users with specific administrative privileges to escalate privileges and potentially gain control over seed clusters in Kubernetes environments. The issue is rated with a CVSS v3.0 score of 9.9 (Critical).

    What is Gardener External DNS Management?

    Gardener is a Kubernetes-based system for managing Kubernetes clusters across multiple infrastructures. Its external-dns-management component handles DNS entries for shoot clusters and may also be deployed to seed clusters via the gardener-extension-shoot-dns-service extension.

    Technical Details

    The vulnerability arises from improper input validation (CWE-20). Specifically, a malicious Google credential embedded in a DNS secret can be used by an attacker to inject unintended configurations, potentially allowing the attacker to take over the seed cluster hosting the shoot cluster.

    This applies to users who have administrative privileges over:

    • A Gardener project
    • A shoot cluster
    • A single namespace within a shoot cluster

    If the shoot-dns-service extension is enabled, then all versions ≤ v1.60.0 of this extension are also affected.

    CVSS Breakdown

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality/Integrity/Availability Impact: High

    Affected Components

    The following components are impacted:

    • gardener/external-dns-management < version 0.23.6
    • gardener-extension-shoot-dns-service ≤ v1.60.0

    Mitigation

    • Upgrade external-dns-management to version 0.23.6 or later.
    • If using the shoot-dns-service extension, ensure you are using a version later than v1.60.0.
    • Review permissions and secrets to identify possible abuse vectors.

    Conclusion

    This vulnerability underscores the need for strict input validation in infrastructure components and careful handling of credentials in DNS secrets. Administrators should patch their installations immediately to mitigate the risk of privilege escalation in Gardener-managed Kubernetes clusters.

    For more details, refer to the official GitHub advisory.