logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-52796 pwpush

Package

Manager: gem
Name: pwpush
Vulnerable Version: >=0 <1.49.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

EPSS: 0.00182 pctl0.40178

Details

Password Pusher rate limiter can be bypassed by forging proxy headers ### Impact Password Pusher comes with a configurable rate limiter. In versions prior to [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. Additionally, with the ability to bypass rate limiting, it also allows attackers to more easily execute brute force attacks. ### Patches In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), a fix was implemented to only authorize proxies on local IPs which resolves this issue. If you are running a remote proxy, please see [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies) on how to authorize the IP address of your remote proxy. ### Workarounds It is highly suggested to upgrade to at least [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0) to mitigate this risk. If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients. ### References The new settings are [configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies). ### Credits Thank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) for reporting and working with me to bring this CVE to the community with the associated fix.

Metadata

Created: 2024-11-20T18:24:28Z
Modified: 2024-11-26T18:59:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-ffp2-8p2h-4m5j/GHSA-ffp2-8p2h-4m5j.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-ffp2-8p2h-4m5j
Finding: F002
Auto approve: 1