Описание
Gardener allows metadata injection for a project secret which can lead to privilege escalation
A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.
Am I Vulnerable?
This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.
Affected Components
gardener/gardener(gardenlet)
Affected Versions
- < v1.116.4
- < v1.117.5
- < v1.118.2
- < v1.119.0
Fixed Versions
- >= v1.116.4
- >= v1.117.5
- >= v1.118.2
- >= v1.119.0
How do I mitigate this vulnerability?
Update to a fixed version.
Пакеты
github.com/gardener/gardener
< 1.116.4
1.116.4
github.com/gardener/gardener
>= 1.117.0, < 1.117.5
1.117.5
github.com/gardener/gardener
>= 1.118.0, < 1.118.2
1.118.2
Связанные уязвимости
Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations where gardener/gardener-extension-provider-gcp is in use. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.