GHSA-99jv-8292-2hpm

Опубликовано: 08 дек. 2023

Источник: github

Github: Прошло ревью

Описание

eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact

The eventing-gitlab cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬ ‭attack.

Patches

Fix in v1.12.1 and v1.11.3.

Credits

The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.

Ссылки

https://github.com/knative-extensions/eventing-gitlab/security/advisories/GHSA-99jv-8292-2hpm
https://github.com/knative-extensions/eventing-gitlab/commit/463fcb36ac31cdac34eda0e900b64039d6d30b36
https://github.com/knative-extensions/eventing-gitlab/commit/db76c668aa47890e7fe73c9df3135da292cfd9ec

Пакеты

Наименование

knative.dev/eventing-gitlab

Затронутые версииВерсия исправления

<= 0.39.0

Отсутствует