A security vulnerability was recently discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device.
This issue has been rated High CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H (Base score 8.0).
Am I vulnerable?
This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.
Affected Components
Affected Versions
Fixed Versions
petersutterReporter
donistzCoordinator
JordanJordanovCoordinator
HeckEKCoordinator
A security vulnerability was recently discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device.
This issue has been rated High CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H (Base score 8.0).
Am I vulnerable?
This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.
Affected Components
gardener/gardenctl-v2Affected Versions
Fixed Versions