A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat
  • Cert Manager
  • Cryostat
  • Hybrid Cloud Gateway
  • Multicluster Engine
  • Openshift
  • Openshift Data Foundation
  • Openshift Gitops
  • Serverless

No data.

No data.

References
Link Providers
https://access.redhat.com/security/cve/CVE-2024-12401 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2327929 cve-icon cve-icon
https://github.com/cert-manager/cert-manager/pull/7400 cve-icon cve-icon cve-icon
https://github.com/cert-manager/cert-manager/pull/7401 cve-icon cve-icon cve-icon
https://github.com/cert-manager/cert-manager/pull/7402 cve-icon cve-icon cve-icon
https://github.com/cert-manager/cert-manager/pull/7403 cve-icon cve-icon cve-icon
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4 cve-icon cve-icon cve-icon
https://go.dev/issue/50116 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-12401 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-12401 cve-icon
History

Thu, 12 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Dec 2024 13:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 12 Dec 2024 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Title Cert-manager: potential dos when parsing specially crafted pem inputs
First Time appeared Redhat
Redhat cert Manager
Redhat cryostat
Redhat hybrid Cloud Gateway
Redhat multicluster Engine
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift Gitops
Redhat serverless
Weaknesses CWE-20
CPEs cpe:/a:redhat:cert_manager:1
cpe:/a:redhat:cryostat:3
cpe:/a:redhat:hybrid_cloud_gateway:1::el9
cpe:/a:redhat:multicluster_engine
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_data_foundation:4
cpe:/a:redhat:openshift_gitops:1
cpe:/a:redhat:serverless:1
Vendors & Products Redhat
Redhat cert Manager
Redhat cryostat
Redhat hybrid Cloud Gateway
Redhat multicluster Engine
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift Gitops
Redhat serverless
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-12-12T09:06:03.612Z

Updated: 2024-12-12T15:44:58.794Z

Reserved: 2024-12-10T13:30:10.806Z

Link: CVE-2024-12401

cve-icon Vulnrichment

Updated: 2024-12-12T15:21:22.005Z

cve-icon NVD

Status : Received

Published: 2024-12-12T09:15:05.790

Modified: 2024-12-12T09:15:05.790

Link: CVE-2024-12401

cve-icon Redhat

Severity : Low

Publid Date: 2024-11-21T19:52:52Z

Links: CVE-2024-12401 - Bugzilla