Listen to this Post
The vulnerability exists within the Terraformer component used by Gardener extensions for infrastructure provisioning. A user with administrative privileges in a Gardener project can inject malicious commands into the Terraform configuration. These commands are executed with high privileges within the Terraformer pod, which runs on the seed cluster. Since the Terraformer pod has extensive permissions, successful exploitation allows the attacker to break out of the pod’s context and gain control over the underlying seed cluster, compromising the management plane for all shoot clusters managed by that seed.
Platform: Gardener Extensions
Version: < fixed versions
Vulnerability: Code Injection
Severity: Critical
date: 2025-09-25
Prediction: Patch expected 2025-09-26
What Undercode Say:
kubectl get shoots --all-namespaces grep -r "terraformer" /etc/gardener/extensions/
// Example of malicious terraform main.tf injection
resource "null_resource" "exploit" {
provisioner "local-exec" {
command = "kubectl get secrets -n garden --kubeconfig /path/to/seed/config"
}
}
How Exploit:
Attacker with project admin rights injects malicious Terraform code. Code executes in Terraformer pod on seed cluster. Attacker gains seed cluster control.
Protection from this CVE:
Update to patched versions. Restrict project admin privileges. Monitor Terraform configurations.
Impact:
Full seed cluster compromise. Control over managed shoot clusters. Breach of management plane.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
