eventing-gitlab v1.11.2 and v1.12.0 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations
Package
No package listed
Affected versions
<= 1.12.0, <= 1.11.2
Patched versions
1.12.1, 1.11.3
Impact
The eventing-gitlab cluster-local server doesn't set
ReadHeaderTimeout
which could lead do a DDoS attack, where a large group of users send requests to the server causing the server to hang for long enough to deny it from being available to other users, also know as a Slowloris attack.Patches
Fix in
v1.12.1
andv1.11.3
.Credits
The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.