Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
Critical severity
GitHub Reviewed
Published
Sep 25, 2025
in
gardener/gardener-extension-provider-aws
•
Updated Sep 26, 2025
Package
Affected versions
< 1.64.0
Patched versions
1.64.0
Description
Published by the National Vulnerability Database
Sep 25, 2025
Published to the GitHub Advisory Database
Sep 25, 2025
Reviewed
Sep 25, 2025
Last updated
Sep 26, 2025
Credits
-
petersutter Reporter
-
kon-angelo Remediation developer
-
hebelsan Remediation developer
-
JordanJordanov Coordinator
-
donistz Coordinator
Impact
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
Affected Components
• gardener-extension-provider-gcp
• gardener-extension-provider-azure
• gardener-extension-provider-openstack
• gardener-extension-provider-aws
Affected Versions
• gardener-extension-provider-gcp < v1.46.0
• gardener-extension-provider-azure < v1.55.0
• gardener-extension-provider-openstack < v1.49.0
• gardener-extension-provider-aws < v1.64.0
Fixed versions
• gardener-extension-provider-gcp >= v1.46.0
• gardener-extension-provider-azure >= v1.55.0
• gardener-extension-provider-openstack >= v1.49.0
• gardener-extension-provider-aws >= v1.64.0
How do I mitigate this vulnerability?
Update to a fixed version.
References