GHSA-99jv-8292-2hpm

Suggest an improvement
Source
https://github.com/advisories/GHSA-99jv-8292-2hpm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-99jv-8292-2hpm/GHSA-99jv-8292-2hpm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-99jv-8292-2hpm
Published
2023-12-08T21:57:27Z
Modified
2023-12-08T21:57:27Z
Summary
eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations
Details

Impact

The eventing-gitlab cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬ ‭attack.

Patches

Fix in v1.12.1 and v1.11.3.

Credits

The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.

References

Affected packages

Go / knative.dev/eventing-gitlab

Package

Name
knative.dev/eventing-gitlab
View open source insights on deps.dev
Purl
pkg:golang/knative.dev/eventing-gitlab

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.39.0