Описание
Duplicate Advisory: cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r4pg-vg54-wxx4. This link is maintained to preserve external references.
Original Description
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Ссылки
- https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
- https://nvd.nist.gov/vuln/detail/CVE-2024-12401
- https://github.com/cert-manager/cert-manager/pull/7400
- https://github.com/cert-manager/cert-manager/pull/7401
- https://github.com/cert-manager/cert-manager/pull/7402
- https://github.com/cert-manager/cert-manager/pull/7403
- https://access.redhat.com/security/cve/CVE-2024-12401
- https://bugzilla.redhat.com/show_bug.cgi?id=2327929
- https://go.dev/issue/50116
Пакеты
github.com/cert-manager/cert-manager
< 1.12.14
1.12.14
github.com/cert-manager/cert-manager
>= 1.13.0-alpha.0, < 1.15.4
1.15.4
github.com/cert-manager/cert-manager
>= 1.16.0-alpha.0, < 1.16.2
1.16.2
Связанные уязвимости
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
