GHSA-99jv-8292-2hpm: 
vulnerability analysis and mitigation

A security vulnerability was identified in knative.dev/eventing-gitlab affecting versions up to 0.39.0, specifically impacting versions 1.11.2 and 1.12.0. The vulnerability was discovered during a security audit conducted by Ada Logics in collaboration with Knative maintainers, OSTIF, and CNCF. The issue was published on December 6, 2023, and updated on December 8, 2023, receiving a low severity rating (GitHub Advisory).

The vulnerability stems from the eventing-gitlab cluster-local server's failure to set ReadHeaderTimeout, which is a critical security parameter. This oversight in the server configuration could expose the system to potential denial of service attacks. The technical fix involved adding specific timeout parameters to the server configuration, including a ReadTimeout of 10 seconds and a ReadHeaderTimeout of 2 seconds (Gitlab Commit).

The vulnerability could lead to a Denial of Service (DoS) condition where a coordinated group of users could send requests to the server in a way that causes it to hang for extended periods, effectively making the service unavailable to legitimate users. This type of attack is specifically known as a Slowloris attack (GitHub Advisory).

The vulnerability has been patched in versions v1.12.1 and v1.11.3. The fix implements proper timeout settings on read operations to prevent Slowloris-type attacks. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).