cvelistv5 - CVE-2025-59823

CVE-2025-59823 (GCVE-0-2025-59823)

Vulnerability from cvelistv5

Published

2025-09-25 14:17

Modified

2025-09-25 18:55

Severity ?

9.9 (Critical) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0

Impacted products

	Vendor	Product	Version
	gardener	gardener-extension-provider-aws	Version: < 1.64.0 Version: < 1.55.0 Version: < 1.49.0 Version: < 1.46.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59823",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-25T18:54:31.939398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-25T18:55:06.669Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gardener-extension-provider-aws",
          "vendor": "gardener",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.64.0"
            },
            {
              "status": "affected",
              "version": "\u003c 1.55.0"
            },
            {
              "status": "affected",
              "version": "\u003c 1.49.0"
            },
            {
              "status": "affected",
              "version": "\u003c 1.46.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-25T14:17:37.607Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"
        },
        {
          "name": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"
        },
        {
          "name": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"
        },
        {
          "name": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"
        },
        {
          "name": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"
        }
      ],
      "source": {
        "advisory": "GHSA-227x-7mh8-3cf6",
        "discovery": "UNKNOWN"
      },
      "title": "Gardner providers vulnerable to code injection when Terraformer is used for infrastructure provisioning"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59823",
    "datePublished": "2025-09-25T14:17:37.607Z",
    "dateReserved": "2025-09-22T14:34:03.470Z",
    "dateUpdated": "2025-09-25T18:55:06.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59823\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-25T15:16:13.560\",\"lastModified\":\"2025-09-26T14:32:53.583\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59823\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-25T18:54:31.939398Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-25T18:54:41.401Z\"}}], \"cna\": {\"title\": \"Gardner providers vulnerable to code injection when Terraformer is used for infrastructure provisioning\", \"source\": {\"advisory\": \"GHSA-227x-7mh8-3cf6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"CHANGED\", \"version\": \"3.0\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gardener\", \"product\": \"gardener-extension-provider-aws\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.64.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.55.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.49.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.46.0\"}]}], \"references\": [{\"url\": \"https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6\", \"name\": \"https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0\", \"name\": \"https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0\", \"name\": \"https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0\", \"name\": \"https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0\", \"name\": \"https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-25T14:17:37.607Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59823\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-25T18:55:06.669Z\", \"dateReserved\": \"2025-09-22T14:34:03.470Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-25T14:17:37.607Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-59823

Vulnerability from fkie_nvd

Published

2025-09-25 15:16

Modified

2025-09-26 14:32

Severity ?

9.9 (Critical) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0
	security-advisories@github.com	https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0."
    }
  ],
  "id": "CVE-2025-59823",
  "lastModified": "2025-09-26T14:32:53.583",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-25T15:16:13.560",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-227x-7mh8-3cf6

Vulnerability from github

Published

2025-09-25 16:39

Modified

2025-09-26 17:37

Severity ?

9.9 (Critical) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning

Details

Impact

A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.

This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.

Affected Components

• gardener-extension-provider-gcp • gardener-extension-provider-azure • gardener-extension-provider-openstack • gardener-extension-provider-aws

Affected Versions

• gardener-extension-provider-gcp < v1.46.0 • gardener-extension-provider-azure < v1.55.0 • gardener-extension-provider-openstack < v1.49.0 • gardener-extension-provider-aws < v1.64.0

Fixed versions

• gardener-extension-provider-gcp >= v1.46.0 • gardener-extension-provider-azure >= v1.55.0 • gardener-extension-provider-openstack >= v1.49.0 • gardener-extension-provider-aws >= v1.64.0

How do I mitigate this vulnerability?

Update to a fixed version.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gardener/gardener-extension-provider-aws"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.64.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gardener/gardener-extension-provider-gcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.46.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gardener/gardener-extension-provider-azure"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.55.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gardener/gardener-extension-provider-openstack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.49.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-25T16:39:16Z",
    "nvd_published_at": "2025-09-25T15:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.\n\nThis CVE affects all Gardener installations where [Terraformer](https://github.com/gardener/terraformer) is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.\n\n### Affected Components\n\u2022 gardener-extension-provider-gcp\n\u2022 gardener-extension-provider-azure\n\u2022 gardener-extension-provider-openstack\n\u2022 gardener-extension-provider-aws\n\n### Affected Versions\n\u2022 gardener-extension-provider-gcp \u003c v1.46.0\n\u2022 gardener-extension-provider-azure \u003c v1.55.0\n\u2022 gardener-extension-provider-openstack \u003c v1.49.0\n\u2022 gardener-extension-provider-aws \u003c v1.64.0\n\n### Fixed versions\n\u2022 gardener-extension-provider-gcp \u003e= v1.46.0\n\u2022 gardener-extension-provider-azure \u003e= v1.55.0\n\u2022 gardener-extension-provider-openstack \u003e= v1.49.0\n\u2022 gardener-extension-provider-aws \u003e= v1.64.0\n\n### How do I mitigate this vulnerability?\nUpdate to a fixed version.",
  "id": "GHSA-227x-7mh8-3cf6",
  "modified": "2025-09-26T17:37:50Z",
  "published": "2025-09-25T16:39:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gardener/gardener-extension-provider-aws"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-59823 (GCVE-0-2025-59823)

Vulnerability from cvelistv5

fkie_cve-2025-59823

Vulnerability from fkie_nvd

ghsa-227x-7mh8-3cf6

Vulnerability from github

Impact

Affected Components

Affected Versions

Fixed versions

How do I mitigate this vulnerability?

Tags

Sightings

Nomenclature