N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-99jv-8292-2hpm

GHSA-99jv-8292-2hpm: eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact

The eventing-gitlab cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬ ‭attack.

Patches

Fix in v1.12.1 and v1.11.3.

Credits

The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-99jv-8292-2hpm

GHSA-99jv-8292-2hpm:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
knative.dev/eventing-gitlab	go	<= 0.39.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the HTTP server configuration in the start method of gitLabReceiveAdapter. The original code created an http.Server without setting ReadTimeout and ReadHeaderTimeout fields. The patched commit explicitly adds these timeout parameters to prevent slowloris attacks. Since this is the only code modification shown in the advisory and commit diff, and the server initialization is directly tied to the described vulnerability, we can conclusively identify this function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-99jv-8292-2hpm: eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact

Patches

Credits

GHSA-99jv-8292-2hpm:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Basic Information

Basic Information

GHSA-99jv-8292-2hpm: eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact

Patches

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI