Vulnerability DatabaseCVE-2024-12401

CVE-2024-12401:
CBL Mariner vulnerability analysis and mitigation

Overview

A vulnerability was discovered in the cert-manager package that allows an attacker who can modify PEM data that the cert-manager reads (for example, in a Secret resource) to create a denial-of-service (DoS) vector by causing high CPU usage in the cert-manager controller pod. The vulnerability was assigned CVE-2024-12401 and was disclosed on December 12, 2024 (NVD).

Technical details

The vulnerability is related to improper input validation (CWE-20) when processing PEM data. The issue stems from the cert-manager's handling of specially crafted PEM inputs that can cause extensive CPU consumption. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD).

Impact

When exploited, this vulnerability can lead to a denial-of-service condition in the cert-manager controller pod through excessive CPU consumption. This can affect the overall performance and availability of the cert-manager service in the cluster (Red Hat).

Mitigation and workarounds

The vulnerability has been fixed through a series of patches that implement maximum size limits for PEM inputs. The fix was implemented across multiple versions through pull requests #7400, #7401, #7402, and #7403. Users should upgrade to the patched versions of cert-manager to mitigate this vulnerability (GitHub PR).

Additional resources

Source: This report was generated using AI

Related CBL Mariner vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66031	HIGH	8.7	JavaScript	kibana-8.18	No	Yes	Nov 26, 2025
CVE-2025-12638	HIGH	8	CBL Mariner	keras	No	Yes	Nov 28, 2025
CVE-2025-13601	HIGH	7.7	CBL Mariner	glib2-debuginfo	No	Yes	Nov 26, 2025
CVE-2025-66293	HIGH	7.1	OpenJDK JDK	java-25-openjdk	No	Yes	Dec 03, 2025
CVE-2025-66030	MEDIUM	6.3	JavaScript	kubeflow-pipelines	No	Yes	Nov 26, 2025