Skip to content

Renovate: Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY] #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fwiesel merged 1 commit into from
Feb 3, 2026
Merged

Renovate: Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY] #232

fwiesel merged 1 commit into from
Feb 3, 2026

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 3, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cert-manager/cert-manager v1.19.2v1.19.3 age adoption passing confidence

cert-manager-controller DoS via Specially Crafted DNS Response

GHSA-gx3x-vq4p-mhhv

More information

Details

Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

Workarounds
  • Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
    • Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.
Resources
Credits

Huge thanks to Oleh Konko (@​1seal) for reporting the issue, providing a detailed PoC and an initial patch!

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.19.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@fwiesel
Copy link
Contributor

fwiesel commented Feb 3, 2026

We are not really affected by it, but it is easier to merge it than to discuss it away.

@renovate renovate bot force-pushed the renovate/go-github.com-cert-manager-cert-manager-vulnerability branch from cb080a7 to ea7f951 Compare February 3, 2026 10:20
@fwiesel fwiesel merged commit 9e44049 into main Feb 3, 2026
6 checks passed
@fwiesel fwiesel deleted the renovate/go-github.com-cert-manager-cert-manager-vulnerability branch February 3, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@toanju toanju

@notandy notandy

@fwiesel fwiesel

@mchristianl mchristianl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fwiesel @toanju @notandy @mchristianl