Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/cert-manager/cert-manager: GHSA-r4pg-vg54-wxx4 #3282

Open
GoVulnBot opened this issue Nov 21, 2024 · 1 comment

Comments

@GoVulnBot
Copy link

Advisory GHSA-r4pg-vg54-wxx4 references a vulnerability in the following Go modules:

Module
github.com/cert-manager/cert-manager

Description:

Impact

cert-manager packages which call the standard library pem.Decode() function can take a long time to process specially crafted invalid PEM data.

If an attacker is able to modify PEM data which cert-manager reads (e.g. in a Secret resource), they may be able to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for cert-manager in the cluster.

Secrets are limited in size to 1MiB, which reduces the impact of this issue; it was discover...

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cert-manager/cert-manager
      versions:
        - fixed: 1.12.14
        - introduced: 1.13.0-alpha.0
        - fixed: 1.15.4
        - introduced: 1.16.0-alpha.0
        - fixed: 1.16.2
      vulnerable_at: 1.16.1
summary: |-
    cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM
    inputs in github.com/cert-manager/cert-manager
ghsas:
    - GHSA-r4pg-vg54-wxx4
references:
    - advisory: https://github.com/advisories/GHSA-r4pg-vg54-wxx4
    - advisory: https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
    - fix: https://github.com/cert-manager/cert-manager/pull/7400
    - fix: https://github.com/cert-manager/cert-manager/pull/7401
    - fix: https://github.com/cert-manager/cert-manager/pull/7402
    - fix: https://github.com/cert-manager/cert-manager/pull/7403
    - report: https://go.dev/issue/50116
source:
    id: GHSA-r4pg-vg54-wxx4
    created: 2024-11-21T15:01:41.939275865Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/630756 mentions this issue: data/reports: add 2 needs review reports

gopherbot pushed a commit that referenced this issue Nov 21, 2024
  - data/reports/GO-2024-3279.yaml
  - data/reports/GO-2024-3282.yaml

Updates #3279
Updates #3282

Change-Id: I198fb77d1510d966d66fd34906f15ae24a1f2364
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/630756
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants