cve-2024-12401
Vulnerability from cvelistv5
Published
2024-12-12 09:06
Modified
2025-03-15 05:58
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Cert-manager: potential dos when parsing specially crafted pem inputs
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-12401
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2327929
secalert@redhat.comhttps://github.com/cert-manager/cert-manager/pull/7400
secalert@redhat.comhttps://github.com/cert-manager/cert-manager/pull/7401
secalert@redhat.comhttps://github.com/cert-manager/cert-manager/pull/7402
secalert@redhat.comhttps://github.com/cert-manager/cert-manager/pull/7403
secalert@redhat.comhttps://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
secalert@redhat.comhttps://go.dev/issue/50116
Impacted products
Red Hatcert-manager Operator for Red Hat OpenShift
Red Hatcert-manager Operator for Red Hat OpenShift
Red Hatcert-manager Operator for Red Hat OpenShift
Red Hatcert-manager Operator for Red Hat OpenShift
Red HatCryostat 3
Red HatMulticluster Engine for Kubernetes
Red HatMulticluster Engine for Kubernetes
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatOpenShift Serverless
Red HatRed Hat Connectivity Link
Red HatRed Hat Connectivity Link
Red HatRed Hat OpenShift Container Platform 4
Red HatRed Hat OpenShift Container Platform 4
Red HatRed Hat Openshift Data Foundation 4
Red HatRed Hat OpenShift GitOps
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12401",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-12T15:21:20.829376Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-12T15:44:58.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/cert-manager/cert-manager",
          "defaultStatus": "unaffected",
          "packageName": "cert-manager",
          "versions": [
            {
              "lessThanOrEqual": "1.12.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.15.4",
              "status": "affected",
              "version": "1.13.0-alpha.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.16.2",
              "status": "affected",
              "version": "1.16.0-alpha.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cert_manager:1"
          ],
          "defaultStatus": "affected",
          "packageName": "cert-manager/cert-manager-operator-bundle",
          "product": "cert-manager Operator for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cert_manager:1"
          ],
          "defaultStatus": "affected",
          "packageName": "cert-manager/cert-manager-operator-rhel9",
          "product": "cert-manager Operator for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cert_manager:1"
          ],
          "defaultStatus": "affected",
          "packageName": "cert-manager/jetstack-cert-manager-acmesolver-rhel9",
          "product": "cert-manager Operator for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cert_manager:1"
          ],
          "defaultStatus": "affected",
          "packageName": "cert-manager/jetstack-cert-manager-rhel9",
          "product": "cert-manager Operator for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cryostat:3"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat-tech-preview/cryostat-rhel8-operator",
          "product": "Cryostat 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-8-rhel8",
          "product": "Multicluster Engine for Kubernetes",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:multicluster_engine"
          ],
          "defaultStatus": "affected",
          "packageName": "multicluster-engine/assisted-service-9-rhel9",
          "product": "Multicluster Engine for Kubernetes",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-activator-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-autoscaler-hpa-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-autoscaler-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-controller-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-queue-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-storage-version-migration-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serving-webhook-rhel8",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:hybrid_cloud_gateway:1::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcl-operator-bundle-container",
          "product": "Red Hat Connectivity Link",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:hybrid_cloud_gateway:1::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcl-operator-container",
          "product": "Red Hat Connectivity Link",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-agent-installer-api-server-rhel8",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift4/ose-contour-rhel8",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_data_foundation:4"
          ],
          "defaultStatus": "affected",
          "packageName": "odf4/rook-ceph-rhel8-operator",
          "product": "Red Hat Openshift Data Foundation 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-gitops-1/gitops-rhel8-operator",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-11-21T19:52:52.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-15T05:58:20.676Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-12401"
        },
        {
          "name": "RHBZ#2327929",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327929"
        },
        {
          "url": "https://github.com/cert-manager/cert-manager/pull/7400"
        },
        {
          "url": "https://github.com/cert-manager/cert-manager/pull/7401"
        },
        {
          "url": "https://github.com/cert-manager/cert-manager/pull/7402"
        },
        {
          "url": "https://github.com/cert-manager/cert-manager/pull/7403"
        },
        {
          "url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4"
        },
        {
          "url": "https://go.dev/issue/50116"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-11-21T23:00:43.367021+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-11-21T19:52:52+00:00",
          "value": "Made public."
        }
      ],
      "title": "Cert-manager: potential dos when parsing specially crafted pem inputs",
      "x_redhatCweChain": "CWE-20: Improper Input Validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-12401",
    "datePublished": "2024-12-12T09:06:03.612Z",
    "dateReserved": "2024-12-10T13:30:10.806Z",
    "dateUpdated": "2025-03-15T05:58:20.676Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12401\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-12-12T09:15:05.790\",\"lastModified\":\"2024-12-12T09:15:05.790\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.\"},{\"lang\":\"es\",\"value\":\" Se encontr\u00f3 una falla en el paquete cert-manager. Esta falla permite que un atacante que pueda modificar los datos PEM que lee el cert-manager, por ejemplo, en un recurso secreto, utilice grandes cantidades de CPU en el m\u00f3dulo controlador del cert-manager para crear efectivamente un vector de denegaci\u00f3n de servicio (DoS) para el cert-manager en el cl\u00faster.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.7,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-12401\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2327929\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cert-manager/cert-manager/pull/7400\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cert-manager/cert-manager/pull/7401\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cert-manager/cert-manager/pull/7402\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cert-manager/cert-manager/pull/7403\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://go.dev/issue/50116\",\"source\":\"secalert@redhat.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.