GHSA-v7hc-87jc-qrrr: 
vulnerability analysis and mitigation

The eventing-github cluster-local server in versions ≤1.12.0 and ≤1.11.2 was identified with a low-severity vulnerability (GHSA-v7hc-87jc-qrrr) related to improper timeout enforcement on individual read operations. The vulnerability was discovered and reported by Ada Logics during a security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF, and was disclosed on December 6, 2023 (GitHub Advisory).

The vulnerability stems from the server's failure to set ReadHeaderTimeout, which is a critical security parameter for HTTP servers. The fix implemented in versions v1.12.1 and v1.11.3 added both ReadTimeout set to 10 seconds and ReadHeaderTimeout set to 2 seconds on the HTTP server configuration (GitHub Commit).

The vulnerability could lead to a Denial of Service (DoS) attack, specifically a Slowloris-type attack, where attackers could cause the server to hang by sending requests in a way that occupies server resources for extended periods, making the service unavailable to legitimate users (GitHub Advisory).

The vulnerability has been patched in versions v1.12.1 and v1.11.3. Users should upgrade to these or newer versions to receive the security fix that implements proper timeout controls (GitHub Advisory).