eventing-github v1.11.2 and v1.12.0 is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations
Package
No package listed
Affected versions
<= 1.12.0, <= 1.11.2
Patched versions
v1.12.1, v1.11.3
Impact
The eventing-github cluster-local server doesn't set
ReadHeaderTimeout which could lead do a DDoS attack, where a large group of users send requests to the server causing the server to hang for long enough to deny it from being available to other users, also know as a Slowloris attack.Patches
Fix in
v1.12.1andv1.11.3Credits
The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.