CVE-2024-12401 — Improper Input Validation in Cert-manager Cert-manager

CWE-20 — Improper Input Validation7 documents5 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 75.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Cert-manager Cert-manager Msrc Azl3 Cert-manager 1.12.13-2 ON Azure Linux 3.0 Msrc Azl3 Cert-manager 1.12.15-1 ON Azure Linux 3.0 +2 more

Timeline

PublishedDec 12

Description

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.7 | Impact: 3.6

Affected Packages5 packages

▶Gogithub.com/cert-manager_cert-manager1.13.0-alpha.0 — 1.15.4+2

▶msrcmsrc/azl3_cert-manager_1.12.13-2_on_azure_linux_3.0

▶msrcmsrc/azl3_cert-manager_1.12.15-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_cert-manager_1.11.2-18_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_cert-manager_1.11.2-22_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

Duplicate Advisory: cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs↗2024-12-12

▶

OSV

Duplicate Advisory: cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs↗2024-12-12

▶

OSV

Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager↗2024-11-21

▶

OSV

cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs↗2024-11-20

▶

📋Vendor Advisories

Microsoft

Cert-manager: potential dos when parsing specially crafted pem inputs↗2024-12-10

▶

Red Hat

cert-manager: potential DoS when parsing specially crafted PEM inputs↗2024-11-21

▶