Advisories for Golang/Github.com/Cert-Manager/Cert-Manager package

2024

cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs

cert-manager packages which call the standard library pem.Decode() function can take a long time to process specially crafted invalid PEM data. If an attacker is able to modify PEM data which cert-manager reads (e.g. in a Secret resource), they may be able to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for cert-manager in the cluster. Secrets are limited in size …