{"url":"http://public2.vulnerablecode.io/api/packages/62383?format=json","purl":"pkg:golang/github.com/gardener/gardener-extension-provider-openstack@1.49.0","type":"golang","namespace":"github.com/gardener","name":"gardener-extension-provider-openstack","version":"1.49.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.49.0","latest_non_vulnerable_version":"1.49.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28868?format=json","vulnerability_id":"VCID-2m2w-zqgu-8ubb","summary":"Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning\n### Impact\n\nA security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.\n\nThis CVE affects all Gardener installations where [Terraformer](https://github.com/gardener/terraformer) is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.\n\n### Affected Components\n• gardener-extension-provider-gcp\n• gardener-extension-provider-azure\n• gardener-extension-provider-openstack\n• gardener-extension-provider-aws\n\n### Affected Versions\n• gardener-extension-provider-gcp < v1.46.0\n• gardener-extension-provider-azure < v1.55.0\n• gardener-extension-provider-openstack < v1.49.0\n• gardener-extension-provider-aws < v1.64.0\n\n### Fixed versions\n• gardener-extension-provider-gcp >= v1.46.0\n• gardener-extension-provider-azure >= v1.55.0\n• gardener-extension-provider-openstack >= v1.49.0\n• gardener-extension-provider-aws >= v1.64.0\n\n### How do I mitigate this vulnerability?\nUpdate to a fixed version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59823","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22127","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59823"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-aws","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gardener/gardener-extension-provider-aws"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-25T18:54:31Z/"}],"url":"https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-25T18:54:31Z/"}],"url":"https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-25T18:54:31Z/"}],"url":"https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-25T18:54:31Z/"}],"url":"https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8"},{"reference_url":"https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-25T18:54:31Z/"}],"url":"https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59823","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59823"},{"reference_url":"https://pkg.go.dev/vuln/GO-2025-3981","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2025-3981"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62383?format=json","purl":"pkg:golang/github.com/gardener/gardener-extension-provider-openstack@1.49.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/gardener/gardener-extension-provider-openstack@1.49.0"}],"aliases":["CVE-2025-59823","GHSA-227x-7mh8-3cf6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2m2w-zqgu-8ubb"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/gardener/gardener-extension-provider-openstack@1.49.0"}