Rate Limiting Bypass in Password Pusher by PGLombardo
CVE-2024-52796

Currently unrated

Key Information:

Vendor

PGLombardo

Vendor
CVE Published:
20 November 2024

What is CVE-2024-52796?

Password Pusher, an open-source application for securely sharing sensitive information, contains a vulnerability in its rate limiting feature, which can be exploited by unauthorized actors. In versions prior to v1.49.0, attackers are able to bypass the rate limiter by manipulating proxy headers. This flaw allows them to generate excessive traffic, potentially leading to a denial of service. The v1.49.0 update addresses this issue by restricting proxy authorization to local IPs. To mitigate risks in earlier versions, users are advised to implement rules in their proxy configurations or firewalls to reject external proxy headers like 'X-Forwarded-*'.

References

Timeline

  • Vulnerability published

.