Cert-Manager Vulnerability Permits CPU-Based DoS Attack
CVE-2024-12401

4.4MEDIUM

Key Information:

Vendor
Red Hat
Status
Cert-manager Operator For Red Hat Openshift
Cryostat 3
Multicluster Engine For Kubernetes
Openshift Serverless
Vendor
CVE Published:
12 December 2024

Summary

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

References

https://access.redhat.com/security/cve/CVE-2024-12401
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2327929
issue-trackingx_refsource_REDHAT
https://github.com/cert-manager/cert-manager/pull/7400

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.