{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47283", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-05T16:53:10.373Z", "datePublished": "2025-05-19T18:46:11.863Z", "dateUpdated": "2025-05-20T13:10:08.239Z"}, "containers": {"cna": {"title": "Bypassing project secret validation can lead to privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835"}], "affected": [{"vendor": "gardener", "product": "gardener", "versions": [{"version": "< 1.116.4", "status": "affected"}, {"version": ">= 1.117.0, < 1.117.5", "status": "affected"}, {"version": ">= 1.118.0, < 1.118.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-19T18:46:11.863Z"}, "descriptions": [{"lang": "en", "value": "Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue."}], "source": {"advisory": "GHSA-3hw7-qj9h-r835", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-20T13:10:00.494340Z", "id": "CVE-2025-47283", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T13:10:08.239Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47283", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-20T13:10:00.494340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T13:10:04.170Z"}}], "cna": {"title": "Bypassing project secret validation can lead to privilege escalation", "source": {"advisory": "GHSA-3hw7-qj9h-r835", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gardener", "product": "gardener", "versions": [{"status": "affected", "version": "< 1.116.4"}, {"status": "affected", "version": ">= 1.117.0, < 1.117.5"}, {"status": "affected", "version": ">= 1.118.0, < 1.118.2"}]}], "references": [{"url": "https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835", "name": "https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-19T18:46:11.863Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47283", "state": "PUBLISHED", "dateUpdated": "2025-05-20T13:10:08.239Z", "dateReserved": "2025-05-05T16:53:10.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-19T18:46:11.863Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue."}, {"lang": "es", "value": "Gardener implementa la gesti\u00f3n y operaci\u00f3n automatizadas de cl\u00fasteres de Kubernetes como servicio. Se descubri\u00f3 una vulnerabilidad de seguridad en Gardener anterior a las versiones 1.116.4, 1.117.5, 1.118.2 y 1.119.0 que podr\u00eda permitir que un usuario con privilegios administrativos en un proyecto de Gardener controle los cl\u00fasteres de semilla donde se administran sus cl\u00fasteres de brote. Esta CVE afecta a todas las instalaciones de Gardener, independientemente del proveedor de nube p\u00fablica utilizado para los cl\u00fasteres de semilla/brote. El componente afectado es `gardener/gardener` (`gardenlet`). Las versiones 1.116.4, 1.117.5, 1.118.2 y 1.119.0 solucionan el problema."}], "id": "CVE-2025-47283", "lastModified": "2025-05-21T20:25:16.407", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-19T19:15:51.747", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}