In Gardener before 0.20.0, incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurs because traffic from shoot to seed via the VPN endpoint is not blocked.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HGardener
APPGardener< 0.20.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
VPN
Related vulnerabilities
CVE-2025-47283CRITICAL9.9PL ✓ten sam produkt
Eskalacja uprawnień w Gardener — przejęcie kontroli nad seed cluster
CVE-2025-47284CRITICAL9.9PL ✓ten sam produkt
Eskalacja uprawnień w Gardener — przejęcie kontroli nad seed cluster
CVE-2018-2475HIGH8.5ten sam produkt
Following the Gardener architecture, the Kubernetes apiserver of a Gardener managed shoot cluster resides in t...