GHSA-ffp2-8p2h-4m5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-ffp2-8p2h-4m5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-ffp2-8p2h-4m5j/GHSA-ffp2-8p2h-4m5j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ffp2-8p2h-4m5j
Aliases
  • CVE-2024-52796
Published
2024-11-20T18:24:28Z
Modified
2024-11-22T21:07:38.939624Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Password Pusher rate limiter can be bypassed by forging proxy headers
Details

Impact

Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.

Patches

In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue.

If you are running a remote proxy, please see this documentation on how to authorize the IP address of your remote proxy.

Workarounds

It is highly suggested to upgrade to at least v1.49.0 to mitigate this risk.

If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as X-Forwarded-* from clients.

References

The new settings are configurable to authorize remote proxies.

References

Affected packages

RubyGems / pwpush

Package

Name
pwpush
Purl
pkg:gem/pwpush

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.49.0

Affected versions

0.*

0.1.0