Gardener Security Announcement - CVE-2019-12494 - Incorrect access control in Gardener, please update to v0.20.0 or higher

Skip to first unread message

Thormaehlen, Frederik

Jun 4, 2019, 9:53:13 AM6/4/19
Hello Gardener Community,

a security-related issue was discovered in Gardener. The issue is medium severity (CVSS v3 5.9) [1] and can be mitigated with an update to Gardener v0.20.0 [2] or higher [3].

*Vulnerability Details*
Incorrect access control in seed clusters allows information disclosure by sending HTTP GET requests from one's own shoot clusters to foreign shoot clusters. This occurred because traffic from shoot clusters to their corresponding seed cluster via VPN endpoint was not blocked in Gardener before v0.20.0.

This issue is filed as CVE-2019-12494. See the GitHub Issue #40 [4] and PR #874 [6] for details.

*Am I vulnerable?*
In the Gardener Dashboard you can see in the upper right corner under "?" the "API version". If it is < 0.20.0 you are running a vulnerable Gardener version.

*How do I mitigate the vulnerability?*
All Gardener users are recommended to update their Gardener instances to v0.20.0 [2] or higher [3].

Thank You,

Frederik on behalf of the Gardener Security Team

As a reminder, if you find a security issue in Gardener, please report it following the Gardener security disclosure process [6] which is appropriate for your finding.


You received this message because you are subscribed to the Google Groups "gardener" group!forum/gardener
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
For more options, visit
Reply all
Reply to author
0 new messages