GHSA-227x-7mh8-3cf6
CRITICALGardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/gardener/gardener-extension-provider-aws🐹github.com/gardener/gardener-extension-provider-gcp🐹github.com/gardener/gardener-extension-provider-azure🐹github.com/gardener/gardener-extension-provider-openstackReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
Affected Components
• gardener-extension-provider-gcp • gardener-extension-provider-azure • gardener-extension-provider-openstack • gardener-extension-provider-aws
Affected Versions
• gardener-extension-provider-gcp < v1.46.0 • gardener-extension-provider-azure < v1.55.0 • gardener-extension-provider-openstack < v1.49.0 • gardener-extension-provider-aws < v1.64.0
Fixed versions
• gardener-extension-provider-gcp >= v1.46.0 • gardener-extension-provider-azure >= v1.55.0 • gardener-extension-provider-openstack >= v1.49.0 • gardener-extension-provider-aws >= v1.64.0
How do I mitigate this vulnerability?
Update to a fixed version.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/gardener/gardener-extension-provider-aws | all versions | 1.64.0 |
| 🐹Go | github.com/gardener/gardener-extension-provider-gcp | all versions | 1.46.0 |
| 🐹Go | github.com/gardener/gardener-extension-provider-azure | all versions | 1.55.0 |
| 🐹Go | github.com/gardener/gardener-extension-provider-openstack | all versions | 1.49.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/gardener/gardener-extension-provider-aws. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/gardener/gardener-extension-provider-aws to 1.64.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-227x-7mh8-3cf6 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-227x-7mh8-3cf6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-227x-7mh8-3cf6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-227x-7mh8-3cf6 in your dependencies?
O3 detects GHSA-227x-7mh8-3cf6 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.