Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZnAyLThwMmgtNG01as4ABBly
Password Pusher rate limiter can be bypassed by forging proxy headers
Impact
Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.
Additionally, with the ability to bypass rate limiting, it also allows attackers to more easily execute brute force attacks.
Patches
In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue.
If you are running a remote proxy, please see this documentation on how to authorize the IP address of your remote proxy.
Workarounds
It is highly suggested to upgrade to at least v1.49.0 to mitigate this risk.
If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as X-Forwarded-*
from clients.
References
The new settings are configurable to authorize remote proxies.
Credits
Thank you to Positive Technologies for reporting and working with me to bring this CVE to the community with the associated fix.
Permalink: https://github.com/advisories/GHSA-ffp2-8p2h-4m5jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZnAyLThwMmgtNG01as4ABBly
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 20 days ago
Updated: 14 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Percentage: 0.00045
EPSS Percentile: 0.17556
Identifiers: GHSA-ffp2-8p2h-4m5j, CVE-2024-52796
References:
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
- https://nvd.nist.gov/vuln/detail/CVE-2024-52796
- https://docs.pwpush.com/docs/proxies/#trusted-proxies
- https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pwpush/CVE-2024-52796.yml
- https://github.com/advisories/GHSA-ffp2-8p2h-4m5j
Blast Radius: 1.0
Affected Packages
rubygems:pwpush
Dependent packages: 0Dependent repositories: 0
Downloads: 2,622 total
Affected Version Ranges: < 1.49.0
Fixed in: 1.49.0
All affected versions: 0.1.0
All unaffected versions: