GHSA-FFP2-8P2H-4M5J

Vulnerability from github – Published: 2024-11-20 18:24 – Updated: 2024-11-26 18:59
VLAI?
Summary
Password Pusher rate limiter can be bypassed by forging proxy headers
Details

Impact

Password Pusher comes with a configurable rate limiter. In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.

Additionally, with the ability to bypass rate limiting, it also allows attackers to more easily execute brute force attacks.

Patches

In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue.

If you are running a remote proxy, please see this documentation on how to authorize the IP address of your remote proxy.

Workarounds

It is highly suggested to upgrade to at least v1.49.0 to mitigate this risk.

If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as X-Forwarded-* from clients.

References

The new settings are configurable to authorize remote proxies.

Credits

Thank you to Positive Technologies for reporting and working with me to bring this CVE to the community with the associated fix.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2.7 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pwpush"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.49.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T18:24:28Z",
    "nvd_published_at": "2024-11-20T17:15:20Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPassword Pusher comes with a configurable rate limiter.  In versions prior to [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service.\n\nAdditionally, with the ability to bypass rate limiting, it also allows attackers to more easily execute brute force attacks.\n\n### Patches\n\nIn [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), a fix was implemented to only authorize proxies on local IPs which resolves this issue.\n\nIf you are running a remote proxy, please see [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies) on how to authorize the IP address of your remote proxy.\n\n### Workarounds\n\nIt is highly suggested to upgrade to at least [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0) to mitigate this risk.\n\nIf for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients.\n\n### References\n\nThe new settings are [configurable to authorize remote proxies](https://docs.pwpush.com/docs/proxies/#trusted-proxies).\n\n### Credits\n\nThank you to [Positive Technologies](https://www.ptsecurity.com/ww-en/) for reporting and working with me to bring this CVE to the community with the associated fix.\n",
  "id": "GHSA-ffp2-8p2h-4m5j",
  "modified": "2024-11-26T18:59:48Z",
  "published": "2024-11-20T18:24:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52796"
    },
    {
      "type": "WEB",
      "url": "https://docs.pwpush.com/docs/proxies/#trusted-proxies"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pglombardo/PasswordPusher"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pwpush/CVE-2024-52796.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Password Pusher rate limiter can be bypassed by forging proxy headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.