{"id":"GHSA-99jv-8292-2hpm","summary":"eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations","details":"### Impact\n\nThe eventing-gitlab cluster-local server doesn't set `ReadHeaderTimeout`\u202c\u202d which could lead do a DDoS\u202c \u202dattack, where a large group of users send requests to the server causing the server to hang\u202c \u202dfor long enough to deny it from being available to other users, also know as a Slowloris\u202c \u202dattack.\n\n### Patches\n\nFix in `v1.12.1` and `v1.11.3`.\n\n\n### Credits\n\nThe vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.\n","modified":"2023-12-08T21:57:27Z","published":"2023-12-08T21:57:27Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2023-12-08T21:57:27Z","cwe_ids":[],"nvd_published_at":null,"severity":"LOW"},"references":[{"type":"WEB","url":"https://github.com/knative-extensions/eventing-gitlab/security/advisories/GHSA-99jv-8292-2hpm"},{"type":"WEB","url":"https://github.com/knative-extensions/eventing-gitlab/commit/463fcb36ac31cdac34eda0e900b64039d6d30b36"},{"type":"WEB","url":"https://github.com/knative-extensions/eventing-gitlab/commit/db76c668aa47890e7fe73c9df3135da292cfd9ec"},{"type":"PACKAGE","url":"https://github.com/knative-extensions/eventing-gitlab"}],"affected":[{"package":{"name":"knative.dev/eventing-gitlab","ecosystem":"Go","purl":"pkg:golang/knative.dev/eventing-gitlab"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"0.39.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-99jv-8292-2hpm/GHSA-99jv-8292-2hpm.json"}}],"schema_version":"1.7.3"}