{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"not set"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-59823","title":"Title"},{"category":"description","text":"Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-59823","url":"https://www.suse.com/security/cve/CVE-2025-59823"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"title":"SUSE CVE CVE-2025-59823","tracking":{"current_release_date":"2025-10-24T23:23:05Z","generator":{"date":"2025-10-24T23:23:05Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-59823","initial_release_date":"2025-10-24T23:23:05Z","revision_history":[{"date":"2025-10-24T23:23:05Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20251023T162509-1.1","product":{"name":"govulncheck-vulndb-0.0.20251023T162509-1.1","product_id":"govulncheck-vulndb-0.0.20251023T162509-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20251023T162509-1.1?upstream=govulncheck-vulndb-0.0.20251023T162509-1.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20251023T162509-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251023T162509-1.1"},"product_reference":"govulncheck-vulndb-0.0.20251023T162509-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-59823","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-59823"}],"notes":[{"category":"general","text":"Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251023T162509-1.1"]},"references":[{"category":"external","summary":"CVE-2025-59823","url":"https://www.suse.com/security/cve/CVE-2025-59823"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:govulncheck-vulndb-0.0.20251023T162509-1.1"]}],"threats":[{"category":"impact","date":"2025-09-25T16:00:35Z","details":"not set"}],"title":"CVE-2025-59823"}]}