CVE-2024-12401
MEDIUMcert-manager < 1.12.14 - Denial of Service via PEM Data Processing
Title source: llmDescription
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
References (8)
Core 8
Core References
Issue Tracking
https://go.dev/issue/50116
Issue Tracking
https://github.com/cert-manager/cert-manager/pull/7400
Issue Tracking
https://github.com/cert-manager/cert-manager/pull/7401
Issue Tracking
https://github.com/cert-manager/cert-manager/pull/7402
Issue Tracking
https://github.com/cert-manager/cert-manager/pull/7403
Vendor Advisory
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-12401
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2327929
Scores
CVSS v3
4.4
EPSS
0.0005
EPSS Percentile
16.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (9)
cert-manager/cert-manager
0 - 1.12.14Go
Red Hat/cert-manager Operator for Red Hat OpenShift
Red Hat/Cryostat 3
Red Hat/Multicluster Engine for Kubernetes
Red Hat/OpenShift Serverless
Red Hat/Red Hat Connectivity Link 1
Red Hat/Red Hat OpenShift Container Platform 4
Red Hat/Red Hat Openshift Data Foundation 4
Red Hat/Red Hat OpenShift GitOps
Published
Dec 12, 2024
Tracked Since
Feb 18, 2026