-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
CVE-2024-52796.yml
48 lines (38 loc) · 1.72 KB
/
CVE-2024-52796.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
gem: pwpush
cve: 2024-52796
ghsa: ffp2-8p2h-4m5j
url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
title: Password Pusher rate limiter can be bypassed by forging proxy headers
date: 2024-11-20
description: |
### Impact
Password Pusher comes with a configurable rate limiter.
In versions prior to [v1.49.0], the rate limiter could be bypassed by forging
proxy headers allowing bad actors to send unlimited traffic to the site
potentially causing a denial of service.
### Patches
In [v1.49.0], a fix was implemented to only authorize proxies on local IPs which
resolves this issue.
If you are running a remote proxy, please see
[this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies)
on how to authorize the IP address of your remote proxy.
### Workarounds
It is highly suggested to upgrade to at least [v1.49.0] to mitigate this risk.
If for some reason you cannot immediately upgrade, the alternative
is that you can add rules to your proxy and/or firewall to not
accept external proxy headers such as `X-Forwarded-*` from clients.
### References
The new settings are [configurable to authorize remote proxies][1].
[v1.49.0]: https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
[1]: https://docs.pwpush.com/docs/proxies/#trusted-proxies
cvss_v3: 5.3
patched_versions:
- ">= 1.49.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-52796
- https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
- https://docs.pwpush.com/docs/proxies/#trusted-proxies
- https://github.com/advisories/GHSA-ffp2-8p2h-4m5j