Skip to content

Commit 56351cd

Browse files
jasnowjasnow
committed
GHSA SYNC: 1 brand new advisory
1 parent abe5f92 commit 56351cd

File tree

1 file changed

+51
-0
lines changed

1 file changed

+51
-0
lines changed

gems/pwpush/CVE-2024-52796.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
---
2+
gem: pwpush
3+
cve: 2024-52796
4+
ghsa: ffp2-8p2h-4m5j
5+
url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
6+
title: Password Pusher rate limiter can be bypassed by forging proxy headers
7+
date: 2024-11-20
8+
description: |
9+
### Impact
10+
11+
Password Pusher comes with a configurable rate limiter.
12+
In versions prior to
13+
[v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0),
14+
the rate limiter could be bypassed by forging proxy headers allowing
15+
bad actors to send unlimited traffic to the site potentially causing
16+
a denial of service.
17+
18+
### Patches
19+
20+
In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0),
21+
a fix was implemented to only authorize proxies on local IPs which
22+
resolves this issue.
23+
24+
If you are running a remote proxy, please see
25+
[this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies)
26+
on how to authorize the IP address of your remote proxy.
27+
28+
### Workarounds
29+
30+
It is highly suggested to upgrade to at least
31+
[v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0)
32+
to mitigate this risk.
33+
34+
If for some reason you cannot immediately upgrade, the alternative
35+
is that you can add rules to your proxy and/or firewall to not
36+
accept external proxy headers such as `X-Forwarded-*` from clients.
37+
38+
### References
39+
40+
The new settings are
41+
[configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies).
42+
cvss_v3: 5.3
43+
patched_versions:
44+
- ">= 1.49.0"
45+
related:
46+
url:
47+
- https://nvd.nist.gov/vuln/detail/CVE-2024-52796
48+
- https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
49+
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
50+
- https://docs.pwpush.com/docs/proxies/#trusted-proxies
51+
- https://github.com/advisories/GHSA-ffp2-8p2h-4m5j

0 commit comments

Comments
 (0)