CVE-2024-12401

Name of the Vulnerable Software and Affected Versions cert-manager versions prior to 1.12.14 cert-manager versions prior to 1.15.4 cert-manager versions prior to 1.16.2

Description A flaw was found in the cert-manager package, allowing an attacker who can modify PEM data that the cert-manager reads to use large amounts of CPU in the cert-manager controller pod, effectively creating a denial-of-service (DoS) vector for the cert-manager in the cluster. This issue affects all versions of cert-manager since at least v0.1.0. The impact is reduced due to the limited size of Secrets in Kubernetes, but an attacker could still create a DoS vector by inserting many large-sized resources in the cluster.

Recommendations For versions prior to 1.12.14, update to version 1.12.14 or later. For versions prior to 1.15.4, update to version 1.15.4 or later. For versions prior to 1.16.2, update to version 1.16.2 or later. As a temporary workaround, ensure that RBAC is scoped correctly in your cluster to limit the ability of users to modify resources containing PEM data.