Updated advisory posts against rubysec/ruby-advisory-db@928ab91

jasnow · RubySec CI · commit f056890bb625 · 2024-11-21T20:40:14.000Z
diff --git a/advisories/_posts/2024-11-20-CVE-2024-52796.md b/advisories/_posts/2024-11-20-CVE-2024-52796.md
@@ -0,0 +1,56 @@
+---
+layout: advisory
+title: 'CVE-2024-52796 (pwpush): Password Pusher rate limiter can be bypassed by forging
+  proxy headers'
+comments: false
+categories:
+- pwpush
+advisory:
+  gem: pwpush
+  cve: 2024-52796
+  ghsa: ffp2-8p2h-4m5j
+  url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
+  title: Password Pusher rate limiter can be bypassed by forging proxy headers
+  date: 2024-11-20
+  description: |
+    ### Impact
+
+    Password Pusher comes with a configurable rate limiter.
+    In versions prior to [v1.49.0], the rate limiter could be bypassed by forging
+    proxy headers allowing bad actors to send unlimited traffic to the site
+    potentially causing a denial of service.
+
+    ### Patches
+
+    In [v1.49.0], a fix was implemented to only authorize proxies on local IPs which
+    resolves this issue.
+
+    If you are running a remote proxy, please see
+    [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies)
+    on how to authorize the IP address of your remote proxy.
+
+    ### Workarounds
+
+    It is highly suggested to upgrade to at least [v1.49.0] to mitigate this risk.
+
+    If for some reason you cannot immediately upgrade, the alternative
+    is that you can add rules to your proxy and/or firewall to not
+    accept external proxy headers such as `X-Forwarded-*` from clients.
+
+    ### References
+
+    The new settings are [configurable to authorize remote proxies][1].
+
+    [v1.49.0]: https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
+    [1]: https://docs.pwpush.com/docs/proxies/#trusted-proxies
+  cvss_v3: 5.3
+  patched_versions:
+  - ">= 1.49.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-52796
+    - https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
+    - https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
+    - https://docs.pwpush.com/docs/proxies/#trusted-proxies
+    - https://github.com/advisories/GHSA-ffp2-8p2h-4m5j
+---
