VDB
GO-2025-3981
GO-2025-3981
PUBLISHED
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning in github.com/gardener/gardener-extension-provider-aws
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | gardener/gardener-extension-provider-aws | 0, 0 |
| github.com | gardener/gardener-extension-provider-openstack | 0, 0 |
| github.com | gardener/gardener-extension-provider-gcp | 0, 0 |
| github.com | gardener/gardener-extension-provider-azure | 0, 0 |
Timeline
- Oct 23, 2025 CVE Published
- Mar 3, 2026 CVE Updated
- May 1, 2026 Security Advisory
References
- https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-59823 advisory
- https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2 patch
- https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020 patch
- https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac patch
- https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8 patch
- https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0 url
- https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0 url
- https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0 url
- https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0 url