Impact
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This issue has been rated Critical https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base score: 9.9).
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
Affected Components
• gardener-extension-provider-gcp
• gardener-extension-provider-azure
• gardener-extension-provider-openstack
• gardener-extension-provider-aws
Affected Versions
• gardener-extension-provider-gcp < v1.46.0
• gardener-extension-provider-azure < v1.55.0
• gardener-extension-provider-openstack < v1.49.0
• gardener-extension-provider-aws < v1.64.0
Fixed versions
• gardener-extension-provider-gcp >= v1.46.0
• gardener-extension-provider-azure >= v1.55.0
• gardener-extension-provider-openstack >= v1.49.0
• gardener-extension-provider-aws >= v1.64.0
How do I mitigate this vulnerability?
Update to a fixed version.
petersutter Reporter
kon-angelo Remediation developer
hebelsan Remediation developer
JordanJordanov Coordinator
donistz Coordinator
Impact
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This issue has been rated Critical https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base score: 9.9).
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
Affected Components
• gardener-extension-provider-gcp
• gardener-extension-provider-azure
• gardener-extension-provider-openstack
• gardener-extension-provider-aws
Affected Versions
• gardener-extension-provider-gcp < v1.46.0
• gardener-extension-provider-azure < v1.55.0
• gardener-extension-provider-openstack < v1.49.0
• gardener-extension-provider-aws < v1.64.0
Fixed versions
• gardener-extension-provider-gcp >= v1.46.0
• gardener-extension-provider-azure >= v1.55.0
• gardener-extension-provider-openstack >= v1.49.0
• gardener-extension-provider-aws >= v1.64.0
How do I mitigate this vulnerability?
Update to a fixed version.