x/vulndb: potential Go vuln in github.com/gardener/gardener-extension-provider-openstack: GHSA-227x-7mh8-3cf6 #3981
Description
Advisory GHSA-227x-7mh8-3cf6 references a vulnerability in the following Go modules:
Description:
Impact
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
Affected Components
• gardener-extension-provi...
References:
- ADVISORY: GHSA-227x-7mh8-3cf6
- ADVISORY: GHSA-227x-7mh8-3cf6
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-59823
- FIX: gardener/gardener-extension-provider-aws@cb5045f
- FIX: gardener/gardener-extension-provider-azure@4573a44
- FIX: gardener/gardener-extension-provider-gcp@51111b4
- FIX: gardener/gardener-extension-provider-openstack@2ed6f0f
- WEB: https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0
- WEB: https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0
- WEB: https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0
- WEB: https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/gardener/gardener-extension-provider-openstack
non_go_versions:
- fixed: 1.55.0
vulnerable_at: 1.49.0
- module: github.com/gardener/gardener-extension-provider-openstack
non_go_versions:
- fixed: 1.64.0
vulnerable_at: 1.49.0
- module: github.com/gardener/gardener-extension-provider-openstack
versions:
- fixed: 1.46.0
vulnerable_at: 1.45.1
- module: github.com/gardener/gardener-extension-provider-openstack
versions:
- fixed: 1.49.0
vulnerable_at: 1.48.1
summary: |-
Gardener Extensions for multiple providers vulnerable to Terraform code
injection in github.com/gardener/gardener-extension-provider-openstack
cves:
- CVE-2025-59823
ghsas:
- GHSA-227x-7mh8-3cf6
references:
- advisory: https://github.com/advisories/GHSA-227x-7mh8-3cf6
- advisory: https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-59823
- fix: https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2
- fix: https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020
- fix: https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac
- fix: https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8
- web: https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0
- web: https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0
- web: https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0
- web: https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0
notes:
- fix: 'module merge error: could not merge versions of module github.com/gardener/gardener-extension-provider-openstack: introduced and fixed versions must alternate'
source:
id: GHSA-227x-7mh8-3cf6
created: 2025-09-25T17:01:15.461558141Z
review_status: UNREVIEWED