Advisories for Golang/Knative.dev/Eventing-Gitlab package

2023

eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact The eventing-gitlab cluster-local server does not set ReadHeaderTimeout which could lead do a DDoS attack, where a large group of users send requests to the server causing the server to hang for long enough to deny it from being available to other users, also know as a Slowloris attack. Patches Fix in v1.12.1 and v1.11.3. Credits The vulnerability was reported by Ada Logics during an ongoing security audit of …