GHSA-ffp2-8p2h-4m5j
First published: Wed Nov 20 2024(Updated: )
### Impact Password Pusher comes with a configurable rate limiter. In versions prior to [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. Additionally, with the ability to bypass rate limiting, it also allows attackers to more easily execute brute force attacks. ### Patches In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), a fix was implemented to only authorize proxies on local IPs which resolves this issue. If you are running a remote proxy, please see [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies) on how to authorize the IP address of your remote proxy. ### Workarounds It is highly suggested to upgrade to at least [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0) to mitigate this risk. If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients. ### References The new settings are [configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies). ### Credits Thank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) for reporting and working with me to bring this CVE to the community with the associated fix.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/pwpush | <1.49.0 | 1.49.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
- https://nvd.nist.gov/vuln/detail/CVE-2024-52796
- https://docs.pwpush.com/docs/proxies/#trusted-proxies
- https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pwpush/CVE-2024-52796.yml
- https://github.com/advisories/GHSA-ffp2-8p2h-4m5j (Advisory)
- agent/severity
- agent/first-publish-date
- agent/event
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ffp2-8p2h-4m5j
- alias/CVE-2024-52796
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/description
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- package-manager/rubygems