CVE-2024-12401 | THREATINT

Description

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

PUBLISHED Reserved 2024-12-10 | Published 2024-12-12 | Updated 2026-06-26 | Assigner redhat

MEDIUM: 4.4CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Problem types

Improper Input Validation

Product status

Default status

unaffected

Any version

affected

1.13.0-alpha.0 (semver)

affected

1.16.0-alpha.0 (semver)

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Timeline

2024-11-21:	Reported to Red Hat.
2024-11-21:	Made public.

References

access.redhat.com/security/cve/CVE-2024-12401 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2327929 (RHBZ#2327929) issue-tracking

github.com/cert-manager/cert-manager/pull/7400

github.com/cert-manager/cert-manager/pull/7401

github.com/cert-manager/cert-manager/pull/7402

github.com/cert-manager/cert-manager/pull/7403

github.com/...anager/security/advisories/GHSA-r4pg-vg54-wxx4

go.dev/issue/50116

cve.org (CVE-2024-12401)

nvd.nist.gov (CVE-2024-12401)

Download JSON

help @ threatint.eu