9.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-47282

GHSA ID

GHSA-xwgg-m7fx-83wx

EPSS Score

0.31751%

CWE

CWE-20

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47282

CVE-2025-47282: Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed.

Am I Vulnerable?

This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.

Affected Components

gardener/external-dns-management

Affected Versions

< 0.23.6

Fixed Versions

>= 0.23.6

Important

The external-dns-management component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the shoot-dns-service extension <= v1.60.0 are affected by this vulnerability.

How do I mitigate this vulnerability?

Update to a fixed version.

(GitHub Advisory)

9.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-47282

GHSA ID

GHSA-xwgg-m7fx-83wx

EPSS Score

0.31751%

CWE

CWE-20

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gardener/external-dns-management	go	< 0.23.6	0.23.6
github.com/gardener/gardener-extension-shoot-dns-service	go	<= 1.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows privilege escalation through malicious Google Cloud credentials in a DNS secret. The fix, identified in commit 4cd7f49a9e548bc32ef573be2114c547c3d3f946, introduces validation for the 'project_id' within the service account JSON. The function NewHandler in pkg/controller/provider/google/handler.go was modified to incorporate this validation. Before this patch, NewHandler would process the service account JSON without this specific validation, making it the function that handles the potentially malicious input and is therefore vulnerable. The newly added function validateServiceAccountJSON is part of the mitigation, not the vulnerable code itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity vuln*r**ility w*s *is*ov*r** in **r**n*r t**t *oul* *llow * us*r wit* **ministr*tiv* privil***s *or * **r**n*r proj**t or * us*r wit* **ministr*tiv* privil***s *or * s*oot *lust*r, in*lu*in* **ministr*tiv* privil***s *or * sin*l* n*m*sp***

Reasoning

T** vuln*r**ility *llows privil*** *s**l*tion t*rou** m*li*ious *oo*l* *lou* *r***nti*ls in * *NS s**r*t. T** *ix, i**nti*i** in *ommit ****************************************, intro*u**s v*li**tion *or t** 'proj**t_i*' wit*in t** s*rvi** ***ount JS

9.9

Basic Information

Concerned about an active attack path?

CVE-2025-47282: Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation

Am I Vulnerable?

Affected Components

Affected Versions

Fixed Versions

Important

How do I mitigate this vulnerability?

9.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI