CVE-2024-12401

Cert-manager: potential dos when parsing specially crafted pem inputs

CVSS 4.4 MEDIUMEPSS 0.6%CWE-20

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.4EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 dez 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Produtos afetados

cert-managerRed Hat · cert-manager Operator for Red Hat OpenShift Red Hat · Cryostat 3 Red Hat · Multicluster Engine for Kubernetes Red Hat · OpenShift Serverless Red Hat · Red Hat Connectivity Link 1 Red Hat · Red Hat OpenShift Container Platform 4 Red Hat · Red Hat Openshift Data Foundation 4 Red Hat · Red Hat OpenShift GitOps

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://access.redhat.com/security/cve/CVE-2024-12401 https://bugzilla.redhat.com/show_bug.cgi?id=2327929 https://github.com/cert-manager/cert-manager/pull/7400 https://github.com/cert-manager/cert-manager/pull/7401 https://github.com/cert-manager/cert-manager/pull/7402 https://github.com/cert-manager/cert-manager/pull/7403 https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4 https://go.dev/issue/50116