Merge pull request #6546 from github/petersutter-GHSA-fw33-qpx7-rhx2

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-fw33-qpx7-rhx2/GHSA-fw33-qpx7-rhx2.json

@@ -6,7 +6,7 @@
   "aliases": [
     "CVE-2025-67508"
   ],
-  "summary": "Vulnerability discovered in gardenctl versions < v2.12.0",
+  "summary": "gardenctl is vulnerable to Command Injection when used with non‑POSIX shells",
   "details": "A security vulnerability was discovered for [gardenctl](https://github.com/gardener/gardenctl-v2) when it is used with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device.\n\n**Am I vulnerable?**\nThis CVE affects all Gardener operators who use  **gardenctl < v2.12.0** with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**.",
   "severity": [
     {