CVE-2024-52796
📋 TL;DR
Password Pusher versions before v1.49.0 contain a rate limiter bypass vulnerability that allows attackers to forge proxy headers and send unlimited traffic, potentially causing denial of service. This affects all deployments using the affected versions. The vulnerability is mitigated by restricting proxy authorization to local IPs.
💻 Affected Systems
- Password Pusher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through resource exhaustion, making the application unavailable to legitimate users.
Likely Case
Degraded performance or intermittent availability issues due to excessive traffic bypassing rate limits.
If Mitigated
Minimal impact with proper proxy/firewall controls or patched version.
🎯 Exploit Status
Exploitation requires ability to send forged proxy headers, which is trivial with standard HTTP tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.49.0
Vendor Advisory: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
Restart Required: Yes
Instructions:
1. Download v1.49.0 from GitHub releases. 2. Replace existing Password Pusher installation. 3. Restart the application service.
🔧 Temporary Workarounds
Block External Proxy Headers
allConfigure proxy/firewall to reject X-Forwarded-* headers from external clients.
# Example nginx config: location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Ensure only trusted proxies can set these
🧯 If You Can't Patch
- Implement strict rate limiting at network perimeter (e.g., WAF, load balancer).
- Monitor for abnormal traffic patterns and block suspicious IPs.
🔍 How to Verify
Check if Vulnerable:
Check Password Pusher version; if <1.49.0 and behind a proxy, it's vulnerable.Check Version:
Check application logs or web interface footer for version string.Verify Fix Applied:
Confirm version is >=1.49.0 and test rate limiting with forged X-Forwarded-For headers.📡 Detection & Monitoring
Log Indicators:
- Unusually high request rates from single IPs
- Requests with spoofed X-Forwarded-* headers
Network Indicators:
- Traffic spikes bypassing normal rate limits
- HTTP requests with manipulated proxy headers
SIEM Query:
source="password-pusher-logs" | stats count by src_ip | where count > threshold