Publish GHSA-227x-7mh8-3cf6

Author: advisory-database[bot]

advisories/github-reviewed/2025/09/GHSA-227x-7mh8-3cf6/GHSA-227x-7mh8-3cf6.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-227x-7mh8-3cf6",
-  "modified": "2025-09-25T16:39:16Z",
+  "modified": "2025-09-26T17:37:50Z",
   "published": "2025-09-25T16:39:16Z",
   "aliases": [
     "CVE-2025-59823"
   ],
-  "summary": "Gardener Extensions for multiple providers vulnerable to Terraform code injection",
+  "summary": "Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning",
   "details": "### Impact\n\nA security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.\n\nThis CVE affects all Gardener installations where [Terraformer](https://github.com/gardener/terraformer) is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.\n\n### Affected Components\n• gardener-extension-provider-gcp\n• gardener-extension-provider-azure\n• gardener-extension-provider-openstack\n• gardener-extension-provider-aws\n\n### Affected Versions\n• gardener-extension-provider-gcp < v1.46.0\n• gardener-extension-provider-azure < v1.55.0\n• gardener-extension-provider-openstack < v1.49.0\n• gardener-extension-provider-aws < v1.64.0\n\n### Fixed versions\n• gardener-extension-provider-gcp >= v1.46.0\n• gardener-extension-provider-azure >= v1.55.0\n• gardener-extension-provider-openstack >= v1.49.0\n• gardener-extension-provider-aws >= v1.64.0\n\n### How do I mitigate this vulnerability?\nUpdate to a fixed version.",
   "severity": [
     {