GHSA SYNC: 1 brand new advisory

gems/pwpush/CVE-2024-52796.yml

@@ -0,0 +1,48 @@
+---
+gem: pwpush
+cve: 2024-52796
+ghsa: ffp2-8p2h-4m5j
+url: https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
+title: Password Pusher rate limiter can be bypassed by forging proxy headers
+date: 2024-11-20
+description: |
+  ### Impact
+
+  Password Pusher comes with a configurable rate limiter.
+  In versions prior to [v1.49.0], the rate limiter could be bypassed by forging
+  proxy headers allowing bad actors to send unlimited traffic to the site
+  potentially causing a denial of service.
+
+  ### Patches
+
+  In [v1.49.0], a fix was implemented to only authorize proxies on local IPs which
+  resolves this issue.
+
+  If you are running a remote proxy, please see
+  [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies)
+  on how to authorize the IP address of your remote proxy.
+
+  ### Workarounds
+
+  It is highly suggested to upgrade to at least [v1.49.0] to mitigate this risk.
+
+  If for some reason you cannot immediately upgrade, the alternative
+  is that you can add rules to your proxy and/or firewall to not
+  accept external proxy headers such as `X-Forwarded-*` from clients.
+
+  ### References
+
+  The new settings are [configurable to authorize remote proxies][1].
+
+  [v1.49.0]: https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
+  [1]: https://docs.pwpush.com/docs/proxies/#trusted-proxies
+cvss_v3: 5.3
+patched_versions:
+  - ">= 1.49.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-52796
+    - https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0
+    - https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j
+    - https://docs.pwpush.com/docs/proxies/#trusted-proxies
+    - https://github.com/advisories/GHSA-ffp2-8p2h-4m5j