CVE-2024-52796

Name of the Vulnerable Software and Affected Versions Password Pusher versions prior to v1.49.0

Description The issue is related to the rate limiter in Password Pusher, which can be bypassed by forging proxy headers, allowing bad actors to send unlimited traffic to the site and potentially causing a denial of service. This also enables attackers to more easily execute brute force attacks.

Recommendations For versions prior to v1.49.0, upgrade to at least v1.49.0 to mitigate this risk. As a temporary workaround, add rules to your proxy and/or firewall to not accept external proxy headers such as X-Forwarded-* from clients. If you are running a remote proxy, authorize the IP address of your remote proxy according to the documentation.