Password Pusher rate limiter can be bypassed by forging proxy headers
Moderate severity
GitHub Reviewed
Published
Nov 20, 2024
in
pglombardo/PasswordPusher
•
Updated Nov 22, 2024
Description
Published by the National Vulnerability Database
Nov 20, 2024
Published to the GitHub Advisory Database
Nov 20, 2024
Reviewed
Nov 20, 2024
Last updated
Nov 22, 2024
Impact
Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.
Patches
In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue.
If you are running a remote proxy, please see this documentation on how to authorize the IP address of your remote proxy.
Workarounds
It is highly suggested to upgrade to at least v1.49.0 to mitigate this risk.
If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as
X-Forwarded-*
from clients.References
The new settings are configurable to authorize remote proxies.
References