Vulnerability Report: GO-2024-3282
- CVE-2024-12401, GHSA-r4pg-vg54-wxx4
- Affects: github.com/cert-manager/cert-manager
- Published: Nov 21, 2024
- Modified: Dec 12, 2024
Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager
For detailed information about this vulnerability, visit https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.12.14, from v1.13.0-alpha.0 before v1.15.4, from v1.16.0-alpha.0 before v1.16.2
11 affected symbols
- CertificateTemplateFromCSRPEM
- CertificateTemplateFromCertificateRequest
- CertificateTemplateFromCertificateSigningRequest
- DecodePrivateKeyBytes
- DecodeX509CertificateBytes
- DecodeX509CertificateChainBytes
- DecodeX509CertificateRequestBytes
- DecodeX509CertificateSetBytes
- GenerateLocallySignedTemporaryCertificate
- ParseSingleCertificateChainPEM
- RequestMatchesSpec
-
before v1.12.14, from v1.13.0-alpha.0 before v1.15.4, from v1.16.0-alpha.0 before v1.16.2
-
before v1.12.14, from v1.13.0-alpha.0 before v1.15.4, from v1.16.0-alpha.0 before v1.16.2
3 unexported affected symbols
- controller.ProcessItem
- controller.Sync
- controller.finalizeOrder
Aliases
References
- https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
- https://github.com/cert-manager/cert-manager/commit/3a4c9eb55e2e43570679840bbe3217869fbc8efc
- https://github.com/cert-manager/cert-manager/commit/f22f78c8c0a64d718e203b326bc844c488ad7850
- https://github.com/cert-manager/cert-manager/pull/7400
- https://github.com/cert-manager/cert-manager/pull/7401
- https://github.com/cert-manager/cert-manager/pull/7402
- https://github.com/cert-manager/cert-manager/pull/7403
- https://go.dev/issue/50116
- https://vuln.go.dev/ID/GO-2024-3282.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.