CVE-2024-12401: Cert-manager: potential dos when parsing specially crafted pem inputs
First published: Thu Nov 21 2024(Updated: )
# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4pg-vg54-wxx4. This link is maintained to preserve external references. # Original Description A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/cert-manager/cert-manager | >=1.16.0-alpha.0<1.16.2 | 1.16.2 |
| go/github.com/cert-manager/cert-manager | >=1.13.0-alpha.0<1.15.4 | 1.15.4 |
| go/github.com/cert-manager/cert-manager | <1.12.14 | 1.12.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2024-12401
- https://bugzilla.redhat.com/show_bug.cgi?id=2327929
- https://github.com/cert-manager/cert-manager/pull/7400
- https://github.com/cert-manager/cert-manager/pull/7401
- https://github.com/cert-manager/cert-manager/pull/7402
- https://github.com/cert-manager/cert-manager/pull/7403
- https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
- https://go.dev/issue/50116
- https://nvd.nist.gov/vuln/detail/CVE-2024-12401
- https://github.com/advisories/GHSA-ghw8-3xqw-hhcj (Advisory)
- https://www.ibm.com/support/pages/node/7232197 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-12401?
CVE-2024-12401 has been assessed as a moderate severity vulnerability.
How do I fix CVE-2024-12401?
To fix CVE-2024-12401, upgrade the cert-manager package to version 1.16.2, 1.15.4, or 1.12.14 depending on your existing version.
What software is affected by CVE-2024-12401?
CVE-2024-12401 affects cert-manager versions between 1.16.0-alpha.0 and 1.16.2, 1.13.0-alpha.0 and 1.15.4, and versions up to but not including 1.12.14.
What type of attack does CVE-2024-12401 allow?
CVE-2024-12401 allows an attacker to modify PEM data, potentially leading to unauthorized access.
Is CVE-2024-12401 a duplicate advisory?
Yes, CVE-2024-12401 has been withdrawn as it is a duplicate of GHSA-r4pg-vg54-wxx4.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ghw8-3xqw-hhcj
- alias/CVE-2024-12401
- agent/software-canonical-lookup
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- agent/author
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- collector/ibm-support
- source/IBM
- package-manager/go