CVE-2025-47283

Bypassing project secret validation can lead to privilege escalation

Description

Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters. `gardener/gardener` (`gardenlet`) is the affected component. Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 fix the issue.

Category

9.9
CVSS
Severity: Critical
CVSS 3.0 •
EPSS 0.09%
Affected: gardener gardener
Published at:
Updated at:

References

Link Tags
https://github.com/gardener/gardener/security/advisories/GHSA-3hw7-qj9h-r835

Frequently Asked Questions

What is the severity of CVE-2025-47283?
CVE-2025-47283 has been scored as a critical severity vulnerability.
How to fix CVE-2025-47283?
To fix CVE-2025-47283, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-47283 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-47283 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-47283?
CVE-2025-47283 affects gardener gardener.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.