GHSA-v7hc-87jc-qrrr

Suggest an improvement
Source
https://github.com/advisories/GHSA-v7hc-87jc-qrrr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-v7hc-87jc-qrrr/GHSA-v7hc-87jc-qrrr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v7hc-87jc-qrrr
Published
2023-12-06T19:19:35Z
Modified
2023-12-06T19:19:35Z
Summary
eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations
Details

Impact

The eventing-github cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬ ‭attack.

Patches

Fix in v1.12.1 and v1.11.3

Credits

The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.

References

Affected packages

Go / knative.dev/eventing-github

Package

Name
knative.dev/eventing-github
View open source insights on deps.dev
Purl
pkg:golang/knative.dev/eventing-github

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.39.1